{"id":15983,"date":"2026-03-20T07:06:56","date_gmt":"2026-03-20T07:06:56","guid":{"rendered":"https:\/\/newestek.com\/?p=15983"},"modified":"2026-03-20T07:06:56","modified_gmt":"2026-03-20T07:06:56","slug":"the-espionage-reality-your-infrastructure-is-already-in-the-collection-path","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15983","title":{"rendered":"The espionage reality: Your infrastructure is already in the collection path"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Threat actors have always sought advantage over their targets. Recently we\u2019ve seen two efforts designed for long-term intelligence gain. This activity surfaced right where you would expect inside the enterprise.<\/p>\n

Enterprises now sit directly in the adversary\u2019s collection path. They don\u2019t have to be the target; they are on the board and in play because they ride on the same infrastructure the adversary is already exploiting. The CISO\u2019s challenge is to ensure their organization doesn\u2019t become an intelligence channel for someone else simply by virtue of how it connects to the world.<\/p>\n

Convergence<\/h2>\n

Two unrelated campaigns are now intersecting across the same operational dependencies.<\/p>\n

The overlap is not coordination; it\u2019s the predictable byproduct of how modern infrastructure centralizes access. When everything routes through a handful of shared services, shared identity layers, and shared connectivity providers, the adversary doesn\u2019t need to coordinate. They simply arrive through the same door.<\/p>\n

The targeted collection surfaces are well understood: telecom routing, cloud adjacency, managed service channels, and identity federation. These are the connective tissues enterprises rely on to function. They are also the connective tissues adversaries exploit to monitor authentication, siphon data, and maintain long\u2011term access without ever touching the enterprise directly.<\/p>\n

When actors with different missions arrive through the same dependencies, it signals a structural exposure problem. Because these dependencies are shared and unavoidable, the issue is not the individual campaign. It\u2019s the architecture that allows both campaigns to operate upstream of the enterprise with minimal friction and maximum persistence.<\/p>\n

Commercial spyware as an intelligence channel<\/h2>\n

Criminal operators deploying Predator, a spyware suite sold by the sanctioned Intellexa consortium, have been documented across more than a dozen countries. US sanctions haven\u2019t slowed them down an iota. Their targets are not random: journalists, activists, politicians, human\u2011rights defenders, government employees and contractors, and other high\u2011value individuals. Why? These targets have access to information of value that extends well beyond the device. I\u2019ve long posited that criminal entities operate with two goals in mind: enhance capability or monetize information.<\/p>\n

The maturation of tradecraft we are seeing today follows the logical arc of the past decade. These include one\u2011click links, zero\u2011click exploit chains, network injection in some cases, and persistent device access. Predator is not a commodity tool. Predator is one of several device\u2011level compromises that become enterprise\u2011level exposures. It is a commercial espionage platform sold to governments or their proxies, and once deployed, it creates upstream surveillance capabilities that intersect directly with enterprise data flows, authentication systems, and service\u2011provider networks.<\/p>\n

This is why it matters. These tools don\u2019t just compromise individuals. They compromise the systems those individuals authenticate into, the networks they traverse, and the service providers that carry their traffic. They operate in the same shared dependencies enterprises rely on. The enterprise becomes part of the collection surface whether it wants to or not.<\/p>\n

State\u2011aligned exploitation<\/h2>\n

In February 2026, Singapore disclosed that UNC3886, a sophisticated cyber\u2011espionage group, had penetrated the networks of all four major telcos servicing Singapore: Singtel, StarHub, M1, and Simba. The threat actors used zero\u2011days, rootkits, and advanced persistence techniques to gain long\u2011term access to backbone infrastructure and technical\/network data.<\/p>\n

Think about that for a moment: all four telcos with their infrastructure compromised. These companies serve as part of the country\u2019s national infrastructure, supporting government, enterprise, and individuals alike. When a telco becomes a real\u2011time signals\u2011intelligence collection point, the adversary doesn\u2019t need to break into your environment directly. They can collect from the pathways your environment depends on.<\/p>\n

Singapore named the group but not the sponsor. Most external analysis immediately called UNC3886 China\u2011nexus. Palo Alto Networks Unit 42\u2019s parallel \u201cShadow Campaigns\u201d report<\/a> on TGR\u2011STA\u20111030 (UNC6619) used similar cautious language: a \u201cstate\u2011aligned group that operates out of Asia.\u201d<\/p>\n

The point is not attribution. The point is that the access was upstream, persistent, and structurally embedded. Regardless of point of origin, the CISO\u2019s focus remains the same: Keep these actors from taking up residence in the infrastructure your organization and your clients depend on. The data\u2011protection problem is now structural. The collection is permanent. The access is embedded.<\/p>\n

What does this mean for CISOs<\/h2>\n

The operational implications are not theoretical. They are immediate and measurable.<\/p>\n