A joint report from the U.S. Navy Cyber Defense Operations Command and Mandiant has uncovered a troubling campaign by the China-affiliated APT40 group. This operation leveraged UDP-based exploits to compromise U.S. Navy contractors in logistics and shipbuilding across California, Virginia, and Singapore.
Attack Overview
The attackers exploited routers and IoT devices with exposed UDP services- such as SSDP (port 1900) and SNMP (port 161). Malformed service discovery packets triggered buffer overflows, allowing attackers to execute memory corruption attacks and gain root-level access.
After initial access in May-June 2025, the adversary moved laterally across contractor networks, exfiltrating sensitive project timelines, personnel data, and CAD files. Stealth scanning and spoofing techniques masked their presence, delaying detection until early July at a satellite communications firm.
Why This Matters
This campaign signals a shift from traditional TCP exploits to UDP protocol misuse – an often-overlooked attack surface. Small vendors with outdated infrastructure and weak device segmentation provided entry points that enabled attackers to bypass hardened Navy environments.
Compromising maritime-related logistics data also highlights the potential blending of cyber activity with kinetic threats.
Recommended Defensive Measures
- Disable nonessential UDP services like SSDP, SNMP, mDNS unless operationally required
- Deploy behavioral intrusion detection capable of spotting UDP flooding or spoofing
- Enforce strict network segmentation, especially between OT, R&D, and admin systems
- Conduct vendor cybersecurity risk assessments to enforce minimum baseline protections
Conclusion
APT40’s UDP-focused intrusion underscores a widening threat landscape: adversaries are now targeting network edge devices and infrastructure protocols previously considered low risk. Defense contractors and critical infrastructure partners must prioritize microsegmentation, device hardening, and real-time behavioral detection to counter this evolving risk.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In response to this intrusion, COE Security helps government, logistics, defense and maritime sectors by conducting UDP services audits, behavior-based threat detection, vendor infrastructure assessments, and secure segmentation planning. We ensure even peripheral network services are hardened against invisible attack vectors.
Follow COE Security on LinkedIn for expert insight into securing critical infrastructure and mastering emerging cyber threats.