Cyber & Tech Warfare
What it is. Contesting software, data, models, and supply chains to gain persistent access and leverage. Tools include intrusions, zero-days, model theft/poisoning, telecom implants, and CI attacks. The aim is silent positioning now for decisive options later.
The Gate in the Cloud
Domain: Cyber & Tech Warfare · Stratagems: 6, 8, 22
Problem / betrayal. The lights don’t go out—they flicker on command.
How it happened. CISA/NSA/FBI warn of PRC “pre-positioning” (Volt Typhoon) in U.S. critical infrastructure using living-off-the-land techniques and vendor channels. CISA.
The men behind it. State-sponsored actors plus sloppy MSPs.
Consequences. Policy by outage.
Warning. If you can’t rebuild cold, you’re owned.
Counter-Orders
- Audit: vendor update paths; sign/verify; offline restore drills. CISA.
- Inoculate: segment; rotate creds; hunt LOTL per CISA guidance. CISA.
- Isolate: blocklist risky tools; require incident-report SLAs in contracts. CISA.
Operating model
- Actors: cyber commands, MSS/PLA units, vendors, ISPs, cloud providers.
- Levers: credentials, update channels, dependencies, standards, chips.
- Mechanisms: infiltrate → persist → pivot → leverage.
- Escalation ladder: recon → espionage → disruption → destructive effects.
- Success metrics: dwell time, privilege breadth, undetected exfiltration, leverage moments.
Tactic clusters (curated, non-repetitive)
1) Supply Chain Silhouette
Hide inside legitimate updates and vendors.
Stratagems: 8 Repair the Walkway…, 24 Borrow the Road…
Application: Compromise build pipelines; push signed-but-tainted updates.
Countermeasures: SBOMs, signed reproducible builds, out-of-band validation.
2) Borrowed Code
Reuse stolen IP and models to leapfrog.
Stratagems: 14 Borrow a Corpse…, 17 Toss Out a Brick…
Application: Honeypot repos harvest credentials; stolen models seed domestic stacks.
Countermeasures: Credential hygiene, honeytokens, watermarking/traceability.
3) Quiet Quotas
Throttle rivals by “safety” or “compliance” gates.
Stratagems: 22 Shut the Door…, 1 Fool the Emperor…
Application: Certification delays gate hardware/software imports.
Countermeasures: Mutual recognition with allies, risk-based fast lanes, appeal SLAs.
4) Shed & Pivot
Rotate infrastructure to survive takedowns.
Stratagems: 21 Golden Cicada, 36 Retreat
Application: Ephemeral C2, domain flux, multi-cloud redundancy.
Countermeasures: Behavioral analytics, shared IOCs, forced re-auth across events.
5) Threshold Teasing
Operate just below kinetic triggers.
Stratagems: 6 Clamor in the East…, 35 Combining Tactics
Application: Timed disruptions on election eves or crisis moments.
Countermeasures: Surge teams, tabletop rehearsals, critical-function isolation.
6) Data Leverage
Exfiltrate, then monetize for leverage.
Stratagems: 20 Trouble the Water…, 18 Capture Their Leader
Application: Hold sensitive datasets to compel concessions.
Countermeasures: Data minimization, encryption at rest/in-use, compartmentalization.
Failure modes & risks
- Blowback: discovered implants trigger mass decoupling.
- Convergence risk: cyber incident escalates into kinetic domain.
- Capability leak: tools repurposed by criminals or rivals.
Related: Asymmetric, Information.