From edge devices to deepfakes: Evolving threats to the defense industrial base

What can sound like a Hollywood plot is increasingly showing up in real-world incident reporting: Adversaries are blending traditional intrusion tradecraft with business-process manipulation to gain access, generate revenue and create downstream disruption across the defense industrial base.

“It sounds more like a movie than reality, but it’s happening,” Cyber Focus host Frank Cilluffo said in a recent conversation with Luke McNamara, a deputy chief analyst with Google Cloud’s Mandiant Intelligence, as the two walked through Mandiant’s assessment of threats facing the defense ecosystem.

The discussion’s core message was not that any single tactic is brand new, but that several well-documented threat lines are persisting, scaling and converging — pushing risk outward from the largest defense primes into the broader manufacturing base and the vendors that sit at the edge of enterprise networks.

One of the most tangible examples is North Korean IT worker operations. McNamara described an ongoing pipeline in which individuals tied to North Korea seek remote roles using false identities, with tactics that can include deception in interviews and onboarding. The point is less about novelty than operational tempo: remote work, distributed hiring and contractor-heavy workflows create repeatable opportunities for adversaries to insert themselves into environments where access is granted as part of normal business. For organizations, that shifts the “human attack surface” from generic awareness training to the mechanics of recruiting, identity verification and privileged access on Day One.

The episode also underscored how manufacturing has functioned as a leading indicator for extortion-driven targeting. McNamara noted that manufacturing has been the most targeted sector for extortive activity visible on data-leak sites going back to 2020. In the defense context, that matters because the defense industrial base is not synonymous with a handful of marquee contractors. It includes the wide layer of component makers and dual-use suppliers — often smaller, less resourced and sometimes unaware they are part of a defense-relevant supply chain. A compromise at that layer can create cascading effects, from stolen designs to production delays that constrain capacity in a crisis.

McNamara’s research team highlighted a steady migration toward the network edge as the preferred entry point, particularly for sophisticated actors. Rather than relying solely on phishing — an approach that depends on social engineering and user behavior — adversaries are increasingly exploiting perimeter infrastructure such as VPNs, routers and email gateways. Those systems can offer high-leverage access, and breaches there may be harder to spot with traditional internal monitoring. And he pointed to the “fast follower” effect: Once details around a high-value vulnerability leak, secondary groups quickly weaponize it, turning a single flaw into a broader wave of exploitation.

The practical takeaway for mid-sized defense suppliers was straightforward: Assume meaningful risk can begin outside traditional corporate visibility – especially in hiring and onboarding. Harden identity and access controls, including strong multi-factor authentication. And treat perimeter exposure as a strategic priority, because the edge is increasingly where intrusions start.

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts: https://mccraryinstitute.com/podcast/