36 Gems

Cyber & Tech Warfare

What it is. Contesting software, data, models, and supply chains to gain persistent access and leverage. Tools include intrusions, zero-days, model theft/poisoning, telecom implants, and CI attacks. The aim is silent positioning now for decisive options later.

The Gate in the Cloud

Domain: Cyber & Tech Warfare · Stratagems: 6, 8, 22

Problem / betrayal. The lights don’t go out—they flicker on command.

How it happened. CISA/NSA/FBI warn of PRC “pre-positioning” (Volt Typhoon) in U.S. critical infrastructure using living-off-the-land techniques and vendor channels. CISA.

The men behind it. State-sponsored actors plus sloppy MSPs.

Consequences. Policy by outage.

Warning. If you can’t rebuild cold, you’re owned.

Counter-Orders

  • Audit: vendor update paths; sign/verify; offline restore drills. CISA.
  • Inoculate: segment; rotate creds; hunt LOTL per CISA guidance. CISA.
  • Isolate: blocklist risky tools; require incident-report SLAs in contracts. CISA.

Operating model

  • Actors: cyber commands, MSS/PLA units, vendors, ISPs, cloud providers.
  • Levers: credentials, update channels, dependencies, standards, chips.
  • Mechanisms: infiltrate → persist → pivot → leverage.
  • Escalation ladder: recon → espionage → disruption → destructive effects.
  • Success metrics: dwell time, privilege breadth, undetected exfiltration, leverage moments.

Tactic clusters (curated, non-repetitive)

1) Supply Chain Silhouette

Hide inside legitimate updates and vendors.

Stratagems: 8 Repair the Walkway…, 24 Borrow the Road…

Application: Compromise build pipelines; push signed-but-tainted updates.
Countermeasures: SBOMs, signed reproducible builds, out-of-band validation.

2) Borrowed Code

Reuse stolen IP and models to leapfrog.

Stratagems: 14 Borrow a Corpse…, 17 Toss Out a Brick…

Application: Honeypot repos harvest credentials; stolen models seed domestic stacks.
Countermeasures: Credential hygiene, honeytokens, watermarking/traceability.

3) Quiet Quotas

Throttle rivals by “safety” or “compliance” gates.

Stratagems: 22 Shut the Door…, 1 Fool the Emperor…

Application: Certification delays gate hardware/software imports.
Countermeasures: Mutual recognition with allies, risk-based fast lanes, appeal SLAs.

4) Shed & Pivot

Rotate infrastructure to survive takedowns.

Stratagems: 21 Golden Cicada, 36 Retreat

Application: Ephemeral C2, domain flux, multi-cloud redundancy.
Countermeasures: Behavioral analytics, shared IOCs, forced re-auth across events.

5) Threshold Teasing

Operate just below kinetic triggers.

Stratagems: 6 Clamor in the East…, 35 Combining Tactics

Application: Timed disruptions on election eves or crisis moments.
Countermeasures: Surge teams, tabletop rehearsals, critical-function isolation.

6) Data Leverage

Exfiltrate, then monetize for leverage.

Stratagems: 20 Trouble the Water…, 18 Capture Their Leader

Application: Hold sensitive datasets to compel concessions.
Countermeasures: Data minimization, encryption at rest/in-use, compartmentalization.

Failure modes & risks

  • Blowback: discovered implants trigger mass decoupling.
  • Convergence risk: cyber incident escalates into kinetic domain.
  • Capability leak: tools repurposed by criminals or rivals.

Related: Asymmetric, Information.