Rising Nation-State and APT Targeting of Private Sector and Critical Infrastructure
Nation-state and advanced persistent threat (APT) activity is increasingly extending beyond traditional government and military targets to include private companies and critical national infrastructure. The reporting highlights a shift toward long-term intrusions aimed at intelligence collection, strategic influence, economic advantage, and disruption, with private-sector networks, infrastructure providers, and technology firms now treated as operationally valuable targets. Critical services such as energy, water, telecommunications, transport, and healthcare are described as especially exposed because attacks on even a small component can create wider societal and political effects.
The coverage also emphasizes that these campaigns often avoid noisy malware or immediate disruption, instead relying on legitimate credentials, trusted third-party access, and existing business tools to maintain persistent access across identities, cloud platforms, SaaS environments, and supplier ecosystems. One example cited is the attack on Collins Aerospace's ARINC cMUSE airline check-in and boarding software, which disrupted passenger boarding at several European airports and illustrated how compromising a supporting technology provider can produce broad downstream impact. Defenders are urged to move beyond incident-driven response and strengthen continuous visibility, exposure management, and threat-informed monitoring across interconnected enterprise and infrastructure environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Leslie Beavers warns US is already under persistent 'cyber invasion'
In remarks reported on 20 March 2026, former Department of Defense CIO Leslie Beavers said the United States is facing an ongoing nation-state-driven 'cyber invasion' targeting critical infrastructure, government, and businesses. She called for a federally led defense model and emphasized zero trust and stronger cybersecurity maturity.
Collins Aerospace ARINC cMUSE attack disrupts European airport boarding
On 19 September 2025, a cyberattack hit Collins Aerospace's ARINC cMUSE check-in and boarding software, disrupting passenger boarding at several European airports. The incident was cited as an example of how attacks on a single supplier can cascade into wider public disruption.
Bridewell reports widespread attacks on UK CNI organizations in 2024
Bridewell reported that 95% of UK critical national infrastructure organizations experienced a cyberattack in 2024. The finding was used to illustrate the scale of cyber risk facing essential services and concerns about supply chain resilience.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Inside the Growing 'Cyber Invasion' Targeting the US
govinfosecurity.com
Open sourceNation-State Cyber Threats Are Expanding Beyond Government Targets | HackerNoon
hackernoon.com
Open sourceWhy cyber attacks on critical national infrastructure are such a huge threat | IT Pro
itpro.com
Open sourceManaging Persistent Exposure: Why APT Defence Requires a Strategic Shift | SecuritySenses
securitysenses.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Reports Highlight Rising Nation-State/APT Activity and Increased 0-Day Exploitation
Two threat-landscape reports describe an increasingly aggressive **nation-state/APT** environment, emphasizing how stolen credentials and access sold in underground markets reduce the need for bespoke initial access while enabling long-dwell espionage. SOCRadar’s U.S.-focused writeup frames state-linked operations as prioritizing persistent visibility into high-value environments such as **email, identity systems, telecom, and government-adjacent infrastructure**, citing China-nexus activity (including **Salt Typhoon**) as emblematic of strategic access over smash-and-grab theft. NSFOCUS’s 2025 global APT overview highlights a marked increase in **0-day vulnerability** use across operating systems, browsers, network devices, and even security software, enabling extended stealth and broad impact. It cites examples including **BlindEagle** targeting Colombian judicial/government entities by exploiting a variant of `CVE-2024-43451` (Windows shortcut/SMB link behavior enabling **NTLMv2 hash capture** with low-interaction triggers), **Lazarus Group** weaponizing a 0-day in South Korea’s widely deployed *CrossEX* banking/security software for large-scale intrusion and data theft, and Turkey-linked **Marbled Dust/Sea Turtle** conducting an operation against the Iraqi Kurdish military (disclosed later) using vulnerability exploitation as part of the intrusion chain.
May 5, 2026
Threat Actors Scale Attacks on Edge and Cloud Control Planes via Exposed Services and Trusted Relationships
Threat actors are increasingly targeting **network edge infrastructure**—including firewalls, routers, and VPN appliances—by exploiting critical vulnerabilities to gain durable footholds in environments where monitoring is often weaker than on endpoints. Reporting highlights a shift toward persistence mechanisms such as **device-family-specific backdoors** that can survive reboots and even firmware updates, and a growing pattern of abusing **trusted services and upstream providers** (the “**Fail-of-Trust Model**”) to pivot from compromised IT/service vendors into downstream government, military, and critical infrastructure networks. In parallel, a separate large-scale campaign tracked as **TeamPCP** (aka **PCPcat** / **ShellForce**) has been compromising **cloud environments** using automated, worm-like propagation against **misconfigured or exposed management interfaces** rather than novel exploits. Analysis cited in coverage attributes at least **60,000 compromised servers worldwide** to the operation, which scans for and abuses exposed services such as **Docker APIs**, **Kubernetes** control surfaces, **Redis**, and other cloud-adjacent interfaces, turning hijacked infrastructure into monetizable “crime bots” through industrialized exploitation of known weaknesses and misconfigurations.
Mar 21, 2026
State-Sponsored Cyber Espionage Targeting Defense and Critical Infrastructure
Google Threat Intelligence Group (GTIG) reported that the **defense industrial base (DIB)** is under sustained, multi-vector pressure from state-backed and aligned actors seeking to steal sensitive military technology, disrupt supply chains, and undermine national security. The report highlights Russian-linked activity focused on **unmanned aircraft systems (UAS)** and other emerging technologies, including **TEMP.Vermin** using drone-themed lures to deliver malware and **APT44 (Sandworm/GRU)** targeting military personnel devices with tooling such as **INFAMOUSCHISEL** to harvest data from battlefield-related applications; it also notes some Russian operators are using **LLMs** to improve reconnaissance and social-engineering effectiveness. GTIG also describes North Korea’s continued use of **IT-worker/insider** placement to generate revenue and access within Western organizations. Separately, reporting on **Transparent Tribe (APT36)** describes ongoing espionage campaigns against Indian government and defense targets across Windows and Linux, including spear-phishing that deploys **Geta RAT** and execution chains abusing legitimate Windows components (e.g., `mshta.exe`) and **XAML deserialization** for evasion, alongside a shift toward more mature Linux tooling and persistence. A third report (Picus Labs’ *Red Report*) is broader trend research rather than a specific incident, claiming ransomware encryption is declining while “**sleeperware**”/dormant extortion tradecraft is rising based on ATT&CK technique prevalence across large-scale simulation and telemetry; it does not materially add to the defense-sector espionage narrative beyond general attacker TTP trends.
Mar 21, 2026