Deepfakes & Laptop Farms: How Nation-States Infiltrate the Defense Supply Chain with Luke McNamara

Show Notes

Cyber threats against the Defense Industrial Base (DIB) don’t stop at the battlefield—they extend into suppliers, perimeter devices, and even hiring pipelines. Luke McNamara of Google’s Threat Intelligence Group joins Frank Cilluffo to unpack Mandiant’s report Beyond the Battlefield: Threats to the Defense Intelligence Base and the patterns it flags across today’s threat landscape. They discuss how the war in Ukraine is shaping targeting priorities, why China’s cyber espionage increasingly begins at the network edge, and how “fast follower” exploit cycles compress patch timelines. McNamara also explains the North Korean IT worker problem, where remote hiring fraud can create both revenue and potential access pathways. The takeaway for mid-sized defense suppliers is practical: harden identity, reduce perimeter exposure, and assume meaningful risk often starts outside traditional corporate visibility.

Main Topics Covered

• Why manufacturing remains a top target and a warning sign for broader supply-chain risk
• How the war in Ukraine is influencing cyber targeting tied to drones and UAS ecosystems
• China’s focus on edge-device compromise (VPNs, routers, email gateways) and why it matters
• The “fast follower” dynamic that turns one vulnerability into many intrusions
• North Korean IT worker operations, remote hiring fraud, and AI-enabled deception
• The highest-leverage defensive priorities for DIB organizations, especially identity and MFA

Key Quotes

“Manufacturing is always the most targeted sector going back to 2020. And I think that’s a larger canary in the coal mine.” ­­— Luke McNamara

“It’s not just some of these top-tier Chinese APT actors and their ability to leverage these as a zero-day, but the ability for secondary groups, once some of the details leak around a particular vulnerability, to start weaponizing it themselves.” — Luke McNamara

“If I had to narrow it down to one category to put more resources to, I would say identity…hardening around the identity piece is certainly key.” — Luke McNamara

“Organizations that are more aware of [the North Korean IT worker infiltration], where the security teams have met with their HR folks, their recruiters, helped inform them about the nature of these threats, I think they’re a little bit better secured.” — Luke McNamara

“It sounds more like a movie than reality, but it’s happening.” — Frank Cilluffo

Relevant Links and Resources

Mandiant report — Beyond the Battlefield: Threats to the Defense Intelligence Base

Mandiant podcast — Defenders Advantage

Guest Bio
Luke McNamara is a Deputy Chief Analyst at Google Cloud’s Mandiant Intelligence and part of Google’s Threat Intelligence Group, focused on cyber threat trends and emerging risks.

Transcript

1
00:00:00,000 –> 00:00:01,000
Luke McNamara [00:00:00]: If you look at that extortive activity, if you look at the data leak sites, manufacturing is always the most targeted sector going back to 2020. And I think that’s sort of a larger canary in the coal mine.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:13]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Luke McNamara. Luke is part of the Google Threat Intelligence Group and is also host of Mandiant’s podcast, Mandiant’s Defender’s Advantage. Really excited to sit down with Luke today to discuss a new report they put out, Beyond the Battlefield: Threats to the Defense Intelligence Base, which I think causes us to question some of the assumptions. If there is something called traditional security, it certainly questions the very assumptions of some of the principles behind that. Without further ado, Luke, thank you so much for joining us today.

3
00:00:02,000 –> 00:00:03,000
Luke McNamara [00:00:59]: Thanks for having me today.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:01]: You know, Luke, your front line grabbed me. In modern warfare, the front lines are no longer confined to the battlefield. They extend directly into the servers and supply chains of the industry that safeguards our nation. I’d like to sort of jump into that right away because when we think about it, pretty hard to defend something if you can’t see it. And visibility, I think, is key here. And the way we think about supply chains makes your, at least makes my head hurt a little bit. But I thought we’d start from the start, grabbing a headline and lead and tell us what you think that actually means, especially, and maybe use an example like Ukraine to sort of flesh that out.

5
00:00:04,000 –> 00:00:05,000
Luke McNamara [00:01:46]: Yeah, so I think for people who have, you know, followed cyber threat activity, particularly nation-state nexus cyber threat activity, it’s unsurprising to hear that the defense sector sees a lot of this activity. What we wanted to do with this report is looking across the broader landscape, identify when we see the campaigns, the intrusions impacting defense organizations today, what are some of the more notable themes that we’re witnessing? So there’s sort of 4 that we call out in this report. The first, as you note, and I think again, maybe unsurprising for those following the conflict, the Russian war in Ukraine, is what we’re seeing on that battlefield today, where we’re having next-generation technologies and capabilities being actively fielded. And as we’ve seen the evolution of Russia’s usage of cyber in that conflict, you know, at times that’s focused on disruption efforts, wiper malware attacks, at times that’s been focused on espionage. But increasingly we see it supporting more frontline battlefield operations. And pieces of that is impacting the defense sector, especially some of these newer systems, these UAS or drone systems as they’re being deployed in the environment.

6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:03:00]: And I’d like to unpack that because UAS and counter-drone activity and the like is clearly a front-and-center set of issues, and your report details consistent efforts by Russian-linked actors to target drone developers. So it’s both on the battlefield and it’s also those developing some of the latest and greatest UAS technology. Anything you want to add to that?

7
00:00:06,000 –> 00:00:07,000
Luke McNamara [00:03:27]: Yeah, it’s interesting, actually drones come up as a theme, not just in the context of the Russia-Ukraine war, but what we’re seeing across the Big Four, right? Other areas of interest in cyber espionage activity from China, from Iran, again, somewhat unsurprising given how this is sort of emerging as a capability. Specific to what we’re seeing though in Ukraine, you know, that’s taken different forms. So in part, it’s targeting of the companies that are building these systems. Sometimes it’s the military units that are fielding them, utilizing them. I think there’s one example we include in the report that’s a lure that was looking to capture information around Ukrainian military units that may be looking to get training on these capabilities. So I think, you know, the best way to think about this is this is just one piece of overall cyber operations impacting the battlefield. Some of this is also impacting mobile systems that individuals in various military units or part of defense companies are using as well. So I think that this kind of touches on the larger ecosystem to include obviously the end users of these defense technologies, the military units themselves.

8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:04:35]: And many of them are not traditional defense industrial-based companies. So it’s a number of smaller companies where cyber may not be a primary thought of theirs as they’re designing, developing, and deploying new technologies. Is that fair?

9
00:00:08,000 –> 00:00:09,000
Luke McNamara [00:04:51]: Yeah, that was one of the things we wanted to include in this report, and especially I think in the kind of fourth category where we talk about the hacktivist and also extortive threat that we’re seeing against the broader manufacturing base. I think it’s important when we’re looking at this, and especially in the United States right now when we’re having this conversation around reindustrialization, it’s important to note that when we’re thinking about this ecosystem, it’s not just the pure-play dedicated defense contractors. It’s not the big primes necessarily. It’s also the many manufacturing organizations that provide components that go into defense applications, even if the primary, uh, nature of that company is, you know, producing things for civilian applications. And I think it’s interesting to note, if you look at that extortive activity, if you look at the data leak sites where data, uh, often associated with ransomware threat actors is being put onto these sites, manufacturing is always the most targeted sector, uh, going back to 2020. So, when we look at the sectors that are most represented on these sites, manufacturing is always there in the lead. And I think that’s sort of a larger canary in the coal mine as we’re thinking about cyber risks to the broader manufacturing base. And of course that has impact on the defense sector as well.

10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:06:04]: And that manufacturing base is diverse, broad, and pretty much touches everything modern societies touch. So it does change the way we think about defending our systems. And to me, that is awfully complex. So, I mean, we have a lot of blacklisting of technologies, of ISPs. You can get to any level of granularity you like. But when you look at this challenge, it really is all-encompassing, isn’t it? And how do you start arming the defenders with that visibility and prioritize? Because you can’t drown in a lot of noise either. You need, you need the signal.

11
00:00:10,000 –> 00:00:11,000
Luke McNamara [00:06:44]: Yeah, and I would say that’s also one of the challenges in producing a report like this, is we want to be as encompassing as possible about the nature of the threats that we see today, but then at the same time to be useful for network defenders and CISOs and the people who are operationally in the seat to try to defend these organizations.

12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:07:06]: And, you know, and this is oversimplifying it, but if Russia is uber-focused on, on the battlefield right now, China clearly is playing a long game and they are also trying to learn and glean any insights and lessons learned on some of the battlefield implications. But let’s get to edge devices where you had some really good data in your report. And what should we be thinking about there? And are we seeing a shift from traditional phishing to be able to get to ABC to more going right at the edge device, or is it all of the above?

13
00:00:12,000 –> 00:00:13,000
Luke McNamara [00:07:44]: Yeah, so I think this is part of the larger story around how China Nexus cyber espionage operations are evolving. You know, and you can think back to a decade ago when a lot of that activity, still incredibly high volume, but was much more smash and grab, much noisier in nature. And I think what we have continued to see on sort of the evolutionary track that these Chinese threat groups have been on is greater sophistication, greater technical sophistication, moving further up the information supply chain. And a big piece of that, if you look at some of the notable impactful zero days that have come out in the last several years, is this clear focus on edge devices. So think of things like VPNs and routers, email gateways, technologies and appliances that live on the outer perimeter of an enterprise network. And being able to target them either because they’re end of life or because you’re, you know, investing very clearly in vulnerability research so you can find zero days to exploit these devices. This offers a lot of advantages over your traditional phishing where you’re having to do things like social engineer the end user to click on, you know, manipulate a file, input information. Those techniques are still being used, but increasingly we see a lot of the sort of impactful breaches that’s coming from China nexus groups originate from edge device compromises.

14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:09:11]: Yeah, well said. And maybe not directly in the report, but the cadence of zero days that are being exploited today seems to be exponential. There was a time where you save the secret sauce for when you really need it. It seems to me that that’s becoming sort of a daily activity. What indications does that mean from a trend perspective, if any?

15
00:00:14,000 –> 00:00:15,000
Luke McNamara [00:09:35]: Well, I think there’s a couple things. I think one, yes, the overall number of zero days seems to continue to go up. As always, you can’t talk about the zero-day problem without, I think, noting this is what we are seeing. What are we not seeing, right? What’s 6 months from now are we going to find out is being actively exploited as a zero-day right now as we speak? But the other piece is sort of the fast follower problem. So it’s not just, you know, some of these top-tier Chinese APT actors and their ability to kind of leverage these as a zero-day, but the ability for kind of secondary groups once some of the details leak around a particular vulnerability to start weaponizing it themselves. So it becomes a larger problem. And again, this is something that is not just specific to the defense industry. We are seeing it with some of the actors that we mentioned.

16
00:00:15,000 –> 00:00:16,000
Luke McNamara [00:10:25]: Some of the ones like the actor we track as AUNC5221 associated with the Brickstorm malware, right? These are techniques these groups are using to go after defense, but not exclusively defense.

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:10:36]: Interesting. And so pivoting a little bit from networks and systems to people, and clearly when we think of attack surfaces, the human is still, is exponentially increasing what that attack surface could and in fact is. And nowhere is this more striking than the North Korean IT worker operations, which quite honestly, my head still spins when I, when I think about this one. But you included some great data in your report on that. And I’d be curious, anything you want to underscore there from the laptop farms to how they’re obtaining legitimate jobs in the US and how do they circumvent HR and some of the more traditional vetting that companies, especially in the defense industrial base, have in place?

18
00:00:17,000 –> 00:00:18,000
Luke McNamara [00:11:33]: Yeah, now this is another great example of, I think, something that’s becoming a trend that is not just germane to the defense industry. Um, we are seeing these IT workers show up in the defense industry, but also virtually every sector and industry that we work with. Um, it’s interesting because I think it is one of these problems where it is still difficult, as much has been written about, um, by journalists, by security researchers, I think it’s still difficult to fully grasp the potential scope of this activity. It’s not just happening in the United States, it’s happening globally. But I think it’s also something where, you know, some of the tactics, some of the techniques that these actors are using is continuing to evolve. Organizations that are more aware of this problem, where the security teams have met with their HR folks, their recruiters, helped inform them about the nature of these threats, I think they’re a little bit better secured against potentially hiring these individuals. But, you know, one of the challenges here is also you have, for very large companies, armies of smaller subcontractors who maybe don’t have the same vetting in place. And so when these individuals are using things like AI face swap technologies in the actual video interview, you know, these are all remote jobs that they’re essentially applying for.

19
00:00:18,000 –> 00:00:19,000
Luke McNamara [00:12:46]: They’re using maybe fabricated documents or stolen IDs. That can complicate some of this problem. But I think unfortunately it’s still an issue where not enough organizations are even aware of the nature of this threat. And I think especially once you get outside the United States, the understanding, visibility to this problem is even less so.

20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:13:05]: Yeah, and it, I mean, just from an end user’s perspective, it sounds more like a movie than reality, but it’s happening. And now you layer AI on top of all of that where individuals could be targeted and lured to particular opportunities, that just adds more chaos into the picture, right?

21
00:00:20,000 –> 00:00:21,000
Luke McNamara [00:13:30]: Yeah. And I should note, primarily when we talk about this problem, we think that the key motivation is revenue generation for the North Korean state. But I think the defense sector is one industry where, if we look at similar operations on the espionage side of North Korea, they have had a clear interest for some of their groups and teams on going after defense technologies. And so I would rule out sort of an espionage interest, uh, by some of these IT workers once they’re hired into these environments.

22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:13:59]: And they may not even know in some cases. So I, I mean, it is a very interesting, because I, I agree with you, by and large when we think of the DPRK, it’s, traditionally organized crime tries to penetrate the state. It’s the inverse when it comes to North Korea. It’s their way to be able to, since they’ve been cut out of the global economy by and large, it is their way to raise money. It’s the modern equivalent of their super bills that they had used extensively, counterfeit currency and the like in the past. But the truth is, is they are interested in military technology. So it may not simply be to raise money, but rather to achieve their, their national security objectives, which I think is a point that needs to be made. You know, you also highlighted the role of personal email, which is not a new challenge, but it’s like the bring your own device to work challenge on steroids here. But anything you want to highlight there? Because I still think this is troubling.

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:15:07]: And I can’t imagine a time where companies are monitoring every bit of that. That would be a bit afar in terms of surveillance of individuals. What should we be thinking there and what should companies be instituting there to be able to improve their hiring capabilities?

24
00:00:23,000 –> 00:00:24,000
Luke McNamara [00:15:27]: Yeah, I think this is another one of these challenges that kind of touches on a number of different themes, but whether it’s the targeting of employees’ personal email addresses, whether it is, as we’ve seen in the case of some of the Iranian threat groups where they’re standing up recruitment portals, spoofing some of the, the brands of big aerospace and defense companies as a way to gather resumes and likely follow-on intelligence activity against employees in the sector. There’s a lot of this activity that’s happening outside of the corporate networks, corporate environments that your traditional security team has visibility into. And this is something I think that creates a challenge from the standpoint of detecting where an intrusion might begin, right? So let’s say you have an employee whose personal email is compromised. Maybe they’re reusing credentials for that account, or those credentials are somewhere in their email environment that also access their corporate account. That now presents a challenge for the corporate entity, and they may not even realize the actor now has access to that. We were talking earlier about some of the Russian activity in Ukraine, the targeting of mobile devices. Again, stuff that’s happening outside sort of your traditional SOC visibility.

25
00:00:24,000 –> 00:00:25,000
Luke McNamara [00:16:37]: So I think it’s something that from a number of different angles, this as a technique is something that presents a challenge for traditional network detection.

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:16:46]: Yeah, well said. Can you shed a little more light on the Iranian use of fake job portals and resume building and the like?

27
00:00:26,000 –> 00:00:27,000
Luke McNamara [00:16:55]: Yeah, this is something we’ve been seeing for some time. There’s been other researchers that have talked about this publicly, but I think this is one of the kind of clear, consistent areas of interest by Iranian threat actors for quite some time. And so the ability to kind of stand up a portal that looks like a recruitment portal where you would log in and provide your resume, other sort of details, it’s a, it’s a technique that could allow them to cast a very wide net of potential people that are working in this industry, working in this field. Um, and so as a technique, it’s something they’ve been using for, for quite some time. Um, but certainly something that other, uh, nation-state actors could leverage as well.

28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:17:34]: And sort of zooming out from the individual to the broader industrial ecosystem, uh, I, I thought you had a lot of really interesting empirically-based data and evidence around manufacturing. And a lot of this, again, we touched on this at the outset, but it’s not traditional defense. It’s, you name it, that is part of that supply chain, but that could have impact when it matters, right? In a crisis. And I’d be curious what some of your thoughts are there and what you found there.

29
00:00:28,000 –> 00:00:29,000
Luke McNamara [00:18:12]: Yeah, so again, I think when we’re talking about these threats to manufacturing, a lot of which we’re still seeing today that are, criminal in nature, right? It’s tied to the unfortunately continuing rising problem of ransomware and data theft as a means of extortion, right? Multifaceted extortion. But I think it does speak to the larger cyber risk that these organizations have. And something else I’ll note is it doesn’t necessarily have to impact the factory floor, right? When we’re thinking about OT-specific malware, malware that could impact OT systems, physical systems, for manufacturing, that’s not necessarily what needs to be impacted to have an impact on these organizations. If their ability to ship out and receive orders, if those systems go down, they can be impacted, right? And they can have an inability to get those products out to their suppliers and their other partners. So I think there’s this sort of cascading risk here that is maybe less well understood and the impact to some of these organizations, which again, may not be pure play defense companies, but play a role in this larger ecosystem.

30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:19:15]: On top of that, we are seeing a surge in OT-focused malware as well. So put together, that’s a pretty troubling trend, I think, that we’re all recognizing. And when it comes to public safety sets of issues, that can have truly significant impact and implications on not only our women and men in the, in, in field, from a battlefield perspective, but domestically as well. You know, you also wrote quite a bit about the resurgence of hacktivism. It’s never gone away, but you’re starting to see it spike a bit. And you highlighted on a couple of really interesting use cases around Russia and Iran leaking sensitive military, material and the like. How much of this, sometimes difficult to discern proxies and who’s the puppet, who’s the master, how much of this is you think genuinely organic vis-à-vis nation-state sponsored, supported, or the like?

31
00:00:30,000 –> 00:00:31,000
Luke McNamara [00:20:22]: Yeah, it’s certainly a mixture. And you’re right, it is difficult at times. We’ve seen examples, you know, certainly of some that appear to be independent, you know, patriotically motivated or otherwise hackers. Hacktivists, you know, truly from those regions or countries, but then everything to threat actors that are working in concert with state-affiliated organizations or even those organizations themselves, obviously spoofing or pretending to be activists. And so it’s a very murky environment. I think when we’re thinking about, you know, why would a threat actor target a defense organization, certainly there’s the IP theft, the espionage gain. But some of this is also interest around, as we see global investment in defense continuing to grow, who is buying what, right? And also potentially embarrassing or attempts to embarrass certain countries by leaking out information around these deals, or, you know, as we’ve seen in the case of some of the Iranian actors, you know, leaking out who’s purchasing some of these weapons systems. So I think that there’s a role that the hacktivists are certainly leaning into.

32
00:00:31,000 –> 00:00:32,000
Luke McNamara [00:21:28]: We are seeing more hacktivist activity generally around some of the geopolitical flashpoints, you know, throughout last year. And so I expect this is going to continue and we’re going to see more players enter the space.

33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:21:39]: Let’s bring this home to people listening and watching who are responsible for sort of running these systems and real programs. Say you’re a mid-sized defense industrial base company. You’re not necessarily the big, the Lockheeds or the Raytheons or the Northrop Grummans. What risks in this report do you think are easiest for them to miss but most urgent to address?

34
00:00:33,000 –> 00:00:34,000
Luke McNamara [00:22:09]: Yeah, so this gets back to that question of like, you want to talk about everything, every potential risk, but then also scope it down in a way that’s useful for the organization. I think a lot of this goes back down to what are the specific technologies, partners, customers that you have, the specific even parts of the world that you may be servicing, that is going to dictate some of this. If I had to kind of narrow it down to like one category of technology or one sort of certainly initial infection vector to maybe put more resources to, I would say identity. Identity is something that time and time again, throughout a lot of these operations and just a lot of the activity we see generally comes up again and again, right? Whether that’s the problem of info stealer malware capturing passwords, whether it’s some of these things like these techniques to capture credentials, I think having a hardened, you know, hardening around the identity piece is certainly key. You know, strong multi-factor authentication. That’s certainly something that I think can also reduce the larger impact if there’s a partial breach or some systems are compromised. So if there’s one thing to kind of focus efforts around securing, I think the identity piece writ large is the one to keep in mind.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:23:27]: Hey Luke, just two more quick questions. Do you plan to continue to take a look at this issue year over year, or is this a one-time report?

36
00:00:35,000 –> 00:00:36,000
Luke McNamara [00:23:38]: We have a lot of different sectors and industries to cover, but I think this is one that certainly we continue to look at. I think also just because of its nexus to the public sector, to the military, there’s a lot of, you know, longstanding and far-reaching implications as to what’s happening in the space. It’s also one where a lot of the threat actors that we track are always focused on. So we always have a focus of this industry amongst many.

37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:24:05]: And again, it’s all blurring pretty fast. What’s foreign, what’s domestic, what’s military, what’s, what’s not. All of this is, is blurring. So I like the fact that you took a set of issues that you’ve been looking at for quite some time, but reexamining and reapplying and what those implications are for the broader defense industrial base, the supply chain, because I think the diversity is going to grow in that community. So if I have a vote, I’m not a shareholder and I’m not paying any of the checks, but I hope you do keep your eyes on this issue. And the last question is what questions didn’t I ask that I should have?

38
00:00:37,000 –> 00:00:38,000
Luke McNamara [00:24:46]: We covered a lot of ground. There’s certainly a lot of other aspects of this. This was certainly not an exhaustive report. I think there’s other components of the landscape that impacts defense that we didn’t have, you know, kind of the space to cover. But hopefully this kind of zeroes in on what we see as sort of the key themes right now.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:25:05]: Awesome, Luke. Thank you for all the work you’ve been doing in this space. Thank you for continuing to shed a light on the important trends and, and, uh, and TTPs that our adversaries are exploiting to enhance our overall preparedness. And my big takeaway is, yes, hardware, firmware, software, all of that matters, but ultimately people, partners, platforms, and, uh, and preparedness matter as much. And we need the good people fighting the good fight. So thank you for doing that, and thank you for spending time with us today. Thank you.

40
00:00:39,000 –> 00:00:40,000
Luke McNamara [00:25:40]: Thank you for having me.

41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:25:42]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.