Espionage groups from China, Russia, and other nations have burned at least two dozen zero-days in edge devices over the past year in attempts to break into defense contractors' networks, according to analyses from Google and Recorded Future. Cyber operations have become a continuous instrument of national defense, and the defense industrial base (DIB) is squarely in the crosshairs.

Google's Threat Intelligence Group says China-linked actors keep aggressively targeting military contractors, deploying zero-day exploits against edge appliances for initial access, while Russian intelligence-tied groups have gone after secure messaging apps used by Ukrainian forces and worked to identify drone operators. The dominant strategy, GTIG's Luke McNamara says, is pre-positioning: organizations should assume continuous access-building rather than only headline-grabbing destructive events.

Edge devices — VPN appliances and security gateways from vendors like Cisco, Citrix, Fortinet, Ivanti, Juniper, Palo Alto Networks, and SonicWall — are the favored entry point. CISA's Known Exploited Vulnerabilities catalog records 26 edge-device vulnerabilities exploited in 2025 and 35 in 2024, with more than 100 such flaws abused over the past four years. These appliances are internet-facing, slower to patch, and less closely monitored than endpoints, Recorded Future's Levi Gundert notes.

Rather than stockpiling bugs, leading state actors invest in covertly accumulating access to identities, networks, and edge infrastructure — persistent collection in peacetime that preserves disruptive options in a crisis. The edge is not the only avenue: North Korea's APT43 has impersonated U.S. and German defense firms to steal credentials and plant backdoors, while UNC2970 has collected intelligence on defense and cybersecurity companies alike.