Your VPN Is a Nation-State Doorway: What Google's Defence Report Means for Every UK Business

Chinese state-sponsored hackers have exploited more than two dozen zero-day vulnerabilities in edge devices from ten different vendors since 2020. Not theoretical. Not "could happen." Already happened. Documented by Google Threat Intelligence Group in a report published yesterday, which should be mandatory reading for every UK business owner who's ever thought, "We've got a firewall, we're fine."

You're not fine. Your VPN, your router, your firewall: the very devices you bought to protect your network are the ones nation-states are walking straight through.

The Report That Changes the Conversation

Google Threat Intelligence Group's "Beyond the Battlefield" report landed on 10 February 2026, and it's a comprehensive demolition of every comfortable assumption UK businesses hold about their network perimeter. While the report focuses on threats to the defence industrial base, the implications cascade directly into every SMB supply chain in the country.

Here's what matters for your business: the report documents a deliberate, strategic shift by Chinese cyber espionage groups towards exploiting edge devices as their primary method of initial access. We're talking about the kit sitting in your server cupboard right now. VPN appliances. Firewalls. Routers. Security appliances. The devices that sit at the boundary of your network and, critically, the devices that don't support endpoint detection and response (EDR) monitoring.

Read that again. The devices you trust to protect your network perimeter are the exact devices your security tools can't monitor. Nation-state actors figured this out years ago. Most UK businesses still haven't.

393 Days. Let That Sink In.

The BRICKSTORM malware campaign, which Google suspects was conducted by the Chinese threat group UNC5221, had an average dwell time of 393 days. That's not a typo. Attackers were inside compromised networks for over a year on average before anyone noticed.

What can an attacker do in 393 days? Everything. Map your entire network. Steal every credential. Exfiltrate your intellectual property. Read every email. Understand your business relationships, your customers, your suppliers. And then use that knowledge to decide whether to sell access to a ransomware crew, steal your trade secrets, or use you as a stepping stone into your larger customers' networks.

The Mandiant M-Trends 2025 report backs this up with broader data. The most frequently exploited vulnerabilities in 2024 incident response investigations affected security devices placed at the edge of the network. Three of the four top vulnerabilities were first exploited as zero-days. Palo Alto Networks PAN-OS. Ivanti Connect Secure VPN. Fortinet FortiClient EMS. These aren't obscure products. These are the most common enterprise security devices on the planet.

And the exploitation numbers are staggering. According to the Verizon Data Breach Investigations Report 2025, there's been an eightfold increase in edge and VPN device vulnerability exploitation. Zero-day exploits against VPN devices jumped from 3% to 22% of all vulnerability exploitation incidents. The Zscaler ThreatLabz 2024 VPN Risk Report found that 91% of enterprises are now concerned about VPN security risks. They should be.

"But I'm Not a Defence Contractor"

This is the sentence I hear from every small business owner before the bad thing happens. And the Google report directly addresses why that thinking will get you breached.

Manufacturing has been the most represented sector on ransomware data leak sites since 2020. Not finance. Not healthcare. Manufacturing. The report notes that dedicated defence and aerospace organisations represent only about 1% of data leak site activity. But the broader manufacturing sector, which includes companies providing dual-use components for defence applications, is consistently the single biggest target.

Think about your supply chain for a moment. Do you know if any of your components end up in defence applications? Do your customers' customers supply to the defence sector? In most UK manufacturing supply chains, the answer is more complicated than anyone realises.

The report describes a significant 2025 ransomware incident affecting a UK automotive manufacturer that also produces military vehicles. Production was disrupted for weeks. More than 5,000 additional organisations were affected through the supply chain. One breach. Thousands of businesses impacted.

Here's the uncomfortable truth: attackers don't care about your company name. They care about what you're connected to. The Google report documents UNC5976, a suspected Russian espionage cluster, setting up hundreds of domains spoofing defence contractors, including companies headquartered in the UK. They're not just targeting the defence firms. They're targeting everyone connected to them.

Your Edge Devices Are the Problem, Not the Solution

Let me be brutally specific about why this matters for your 20-person business in Horsham or your 35-person operation in Leeds.

The China-nexus threat groups documented in this report, particularly UNC3886 and UNC5221, represent the most sophisticated network intrusion capabilities on earth. They have devoted extraordinary resources to finding and exploiting vulnerabilities in edge devices specifically because these devices offer three massive advantages to attackers.

First, reduced detection. Edge devices typically don't support the same security monitoring as endpoints. Your EDR platform watches your laptops and servers. It doesn't watch your VPN appliance. Attackers operating on edge devices are essentially invisible to your security tools.

Second, persistent access. UNC3886 deployed 17 distinct malware families in operations against defence targets. These aren't smash-and-grab criminals. They build long-term, resilient access that survives patching and rebooting. The Fortinet symlink backdoor issue saw 16,620 internet-exposed devices compromised with backdoors that survived firmware updates. Your "we patch everything" policy means nothing against that.

Third, strategic positioning. Edge devices sit at the boundary of your network. Compromising one gives you visibility into everything that passes through it. Credentials, email, file transfers, VPN sessions. It's the digital equivalent of owning the front door lock and being able to watch everyone who comes and goes.

We've already covered this pattern in our analysis of stolen credentials being the new normal. The M-Trends 2025 report showed stolen credentials as the leading initial access vector. Now add Google's evidence that nation-states are systematically compromising the devices those credentials pass through, and you've got a picture that should terrify every IT manager in the country.

The Human Layer Is Burning Too

The Google report doesn't stop at technical exploitation. It documents a parallel attack surface that's even harder to defend: your employees.

Chinese threat actor APT5 targeted current and former employees of major aerospace and defence contractors by sending spearphishing emails to their personal email addresses. Not work email. Personal. The lures were tailored with alarming precision: invitations to industry events, fake job offers, references to local high school community service forms, alumni tickets for a university baseball team, even fake Boy Scouts of America correspondence targeting employees known to be volunteers.

This is surveillance-grade targeting. These attackers researched their targets' personal lives, their children's schools, their hobbies, their university affiliations. And they used that information to craft phishing emails that bypassed every corporate security control because they never touched the corporate network.

We've written about Iranian hackers excelling at social engineering and North Korean IT workers infiltrating companies. The Google report confirms these aren't isolated threats. They're part of a converging landscape where nation-states attack the human layer alongside the technical layer, and they're getting better at both simultaneously.

The North Korean IT worker problem is especially relevant. The report confirms IT workers successfully infiltrated more than 100 US companies, including a California-based defence contractor developing AI technology. In one documented case, a Maryland-based individual was sentenced to prison for letting a suspected DPRK IT worker use his credentials to perform software development work on a US government defence programme.

If nation-states can infiltrate Fortune 500 companies through their hiring process, what chance does your HR department have?

The Hacktivists Are Real Too

One area many UK businesses dismiss is hacktivism. "That's political, nothing to do with us." Wrong.

The Google report documents pro-Russia hacktivist groups dedicating significant resources to targeting defence sector organisations, including DDoS attacks, network intrusions, and data leak operations. NoName057(16) has prolifically targeted government and private organisations involved in defence. PalachPro claimed to have targeted Italian defence companies and offered to sell exfiltrated data.

But here's what's relevant for UK SMBs: these hacktivist groups don't limit themselves to obvious targets. Pro-Russia hacktivists have targeted organisations across countries supporting Ukraine. If your business has any connection to defence supply chains, government contracts, or critical infrastructure, you're within their targeting scope. And their capabilities are real, as we covered in our analysis of Sweden's DDoS infrastructure attacks.

What the Bloody Hell Do You Actually Do About This?

Right. Enough doom. Here's what needs to happen in your business this month.

1. Audit every edge device you own. I mean physically locate and document every VPN appliance, firewall, router, and security device on your network perimeter. Check firmware versions against vendor security advisories. If you're running Ivanti, Palo Alto, Fortinet, or SonicWall products, check the NCSC advisories immediately. These are the exact products being targeted.

2. Assume your edge devices are compromised until proven otherwise. The 393-day dwell time statistic means attackers could be inside your network right now, and your security tools wouldn't know. Contact your MSP or security provider and ask specifically: "How are we monitoring our edge devices for compromise? What logging do we have? When did we last check for indicators of compromise on our VPN appliance?"

If the answer is vague, you have a problem.

3. Implement network segmentation behind your edge devices. If an attacker compromises your firewall, what can they access? If the answer is "everything," you've got a flat network, and you're one compromised credential away from a catastrophic breach. Segment critical systems. Separate your operational data from your general network traffic. Make lateral movement difficult, even if the perimeter is breached.

4. Deploy phishing-resistant MFA for all remote access. Traditional MFA is not enough. The M-Trends report explicitly recommends FIDO2 security keys for all remote access. SMS codes and authenticator apps can be bypassed by adversary-in-the-middle attacks. Hardware security keys cannot. Yes, they cost money. Yes, they're worth it.

5. Brief your staff on personal email targeting. The APT5 campaign targeting employees' personal emails is a wake-up call. Your corporate email security is irrelevant if attackers reach your finance director through their Gmail account. Staff awareness training must cover personal digital hygiene, not just corporate email phishing.

6. Know your supply chain position. Understand where your products and services end up. If any path leads to defence, aerospace, or critical infrastructure, you're a higher-value target than you think. And your larger customers will increasingly demand you prove your security posture.

How to Turn This Into Competitive Advantage

While your competitors ignore a Google Threat Intelligence report because "we're not a defence contractor," you can be the business that actually understands modern threat landscapes.

Win supply chain contracts. The report makes clear that defence primes and their Tier 1 suppliers will face increasing pressure to verify their supply chain's security. If you can demonstrate edge device monitoring, network segmentation, and phishing-resistant MFA before they ask, you're ahead of 90% of your competitors.

Differentiate on security maturity. "We monitor our edge devices, segment our networks, and use hardware authentication keys" is a concrete differentiator when your competitor's pitch is "we've got antivirus." As supply chain security requirements cascade down from defence through manufacturing into general commerce, early movers capture market share.

Justify premium pricing. Security-mature suppliers reduce risk for their customers. Risk reduction has quantifiable value. When your customer faces a choice between you (documented security posture, edge device monitoring, MFA hardware keys) and a competitor who can't answer basic questions about their firewall firmware version, the premium pays for itself.

Reduce insurance costs. Cyber insurers are increasingly sophisticated about edge device risk. Demonstrating proactive monitoring and hardening of perimeter devices directly impacts your risk profile and, consequently, your premiums. As we've discussed in our analysis of cyber insurance claims being denied, insurers are looking for exactly this level of security maturity.

How to Sell This to Your Board

You've just been handed the perfect board presentation on a plate. A Google Threat Intelligence report documenting nation-state attacks on UK businesses through their VPN appliances. Here's how to use it.

The opening line: "Google published a report yesterday documenting Chinese state hackers exploiting our exact type of network equipment to infiltrate UK businesses. Average time before detection: over a year."

The risk quantification: "If attackers are inside our network for 393 days, they access everything. Customer data, financial records, intellectual property, email. Our exposure under UK GDPR alone is up to £17.5 million or 4% of turnover. Our cyber insurance requires us to demonstrate we're monitoring for exactly this type of compromise."

The competitive angle: "Our larger customers are going to start requiring supply chain security audits. This report accelerates that timeline. If we invest now, we demonstrate compliance immediately when they ask. If we wait, we scramble under deadline pressure or lose the contract."

The investment ask: "Edge device monitoring, network segmentation review, and phishing-resistant MFA deployment. £15,000 to £40,000 depending on our current architecture. Prevents a breach that would cost us £200,000+ in incident response, regulatory fines, and customer losses."

The closer: "Nation-states are treating our VPN appliance as a doorway. Do we want to be the business that locked the door, or the one that left it wide open for 393 days?"

The Bottom Line

Google's "Beyond the Battlefield" report is the most comprehensive public documentation of how nation-states are systematically exploiting the devices UK businesses trust to protect them. Chinese groups have compromised edge devices from ten different vendors using more than two dozen zero-day vulnerabilities. Russian groups are spoofing UK defence contractor domains for credential harvesting. North Korean operatives are infiltrating companies through their hiring processes. And manufacturing remains the single most targeted sector on ransomware leak sites.

Your VPN appliance isn't a security control. It's a target. Your firewall isn't a barrier. It's an opportunity. Every edge device on your network that you're not actively monitoring is a door you've left unlocked for some of the most capable attackers on earth.

The question isn't whether your business is important enough to be targeted. It's whether your business is connected enough to be useful as a stepping stone to someone who is.

393 days. That's how long attackers sit inside networks before anyone notices. What's been happening inside yours?