By NHI Mgmt Group Editorial TeamPublished 2025-12-19Domain: Cyber SecuritySource: SecurityScorecard

TL;DR: Recurring pressure points in supply chain cyber risk, third-party breaches, AI-enabled attacks, and the LapDogs ORB campaign used routers and IoT devices to establish persistent espionage footholds across multiple regions, according to SecurityScorecard’s Q2 2025 coverage. The lesson for security and identity teams is that exposed suppliers, unmanaged device trust, and weak credential governance now interact as one risk surface.


At a glance

What this is: This is a roundup of SecurityScorecard’s Q2 2025 coverage, centered on third-party risk, supply chain attacks, and the LapDogs ORB campaign.

Why it matters: It matters because supplier exposure, device trust, and credential governance now shape the attack surface that IAM, PAM, NHI, and security teams must control together.

👉 Read SecurityScorecard's Q2 2025 coverage of supply chain risk and LapDogs


Context

Supply chain cyber risk is no longer a narrow procurement concern. The article brings together media coverage, threat intelligence, and company commentary showing how third-party breaches, compromised internet-facing devices, and AI-enabled attacks are converging into a broader governance problem for security leaders, with identity and access controls sitting close to the center of that risk surface.

For IAM, PAM, and NHI teams, the relevant question is not whether a supplier is trusted in principle, but whether its access, credentials, and device estate are actually governed in practice. That applies to human identities, service accounts, and machine-to-machine access alike, especially where third-party access is persistent, under-instrumented, or difficult to offboard cleanly.


Key questions

Q: What breaks when third-party access is not tightly governed?

A: When third-party access is broad or persistent, one supplier compromise can become a pathway into multiple environments. The failure is usually lifecycle control, not just authentication. If teams cannot scope, monitor, and revoke supplier access cleanly, they inherit hidden trust paths that attackers can reuse for espionage, data access, or lateral movement.

Q: Why do routers and IoT devices matter in supply chain attacks?

A: Routers and IoT devices matter because attackers can turn them into distributed proxy infrastructure that hides origin, preserves persistence, and complicates attribution. These devices are often weakly managed, so compromise creates a durable operational layer rather than a single endpoint incident. That makes them valuable for covert campaigns and hard to remove quickly.

Q: How do security teams know if supplier trust has become a blind spot?

A: Supplier trust becomes a blind spot when external identities, tokens, and support channels exist without clear ownership, expiry, or revocation paths. A practical signal is repeated access from external accounts that cannot be tied to a current business purpose. Another is failing to reconcile supplier entitlements against live operational need.

Q: Which frameworks help govern third-party access and supply chain risk?

A: NIST Cybersecurity Framework 2.0, NIST SP 800-53, and MITRE ATT&CK are useful starting points for managing supplier risk, access control, and adversary behaviour. For identity-heavy supplier connections, pair them with OWASP Non-Human Identity guidance so machine credentials, tokens, and service access are governed as part of the same control set.


Technical breakdown

How ORB networks turn routers and IoT devices into persistent footholds

An ORB network is a distributed collection of compromised residential or small-office devices that attackers use as proxy infrastructure, relay points, or staging nodes. By abusing routers and IoT devices, threat actors can hide source infrastructure, evade geolocation-based blocking, and maintain operational persistence across campaigns. The value is not just access, but durable positioning that blends into normal traffic patterns and is harder to attribute than a single compromised host. In practice, this creates a long-lived infrastructure layer that sits below many detection assumptions.

Practical implication: treat unmanaged edge devices as part of the threat model and monitor for proxy-like behaviour, unusual outbound patterns, and repeated reuse of the same device class.

Why third-party access becomes a governance problem, not just a vendor problem

Third-party risk becomes difficult when external access is persistent, broad, and weakly lifecycle-managed. If supplier credentials, support channels, or integration tokens are not tightly scoped, the compromise of one partner can become a path into multiple environments. The technical issue is not simply vendor compromise, but trust transitivity: one identity boundary inherits another. That is why the same incident can show up as procurement risk, access risk, and incident response pain at once, especially when offboarding and entitlement review are inconsistent across systems.

Practical implication: map every external identity, token, and integration to an owner, expiry, and offboarding path before the next supplier review cycle.

How AI-enabled attack coverage changes defender assumptions

AI-enabled attacks matter because they compress reconnaissance, targeting, and social engineering at scale, even when the underlying intrusion primitives remain familiar. The operational change is speed and adaptability, not a completely new class of exploit. For defenders, that means controls designed for static campaigns and annual review cycles will lag when adversaries can rapidly tailor lures, infrastructure, and pretexting. The governance challenge is to align monitoring, response, and identity controls to a faster attack tempo.

Practical implication: shorten the review loop for anomalous access, supplier exceptions, and high-risk communications that target identity or credential workflows.


Threat narrative

Attacker objective: The attacker objective is to maintain persistent, low-friction espionage infrastructure that can support access, concealment, and follow-on operations across multiple regions.

  1. Entry occurs when attackers abuse routers and IoT devices to build a distributed proxy layer that masks their infrastructure and gives them durable reach into target environments.
  2. Escalation follows as that infrastructure is used to sustain espionage operations, blend into legitimate traffic, and expand access across regions and target types without relying on a single compromised host.
  3. Impact is persistent espionage footholds and broader cyber risk across supply chains, with detection and attribution slowed by the use of distributed trusted-looking infrastructure.

NHI Mgmt Group analysis

Supply chain cyber risk has become an identity and trust problem, not just a vendor assurance problem. When external infrastructure and third-party access can be reused as covert operational plumbing, the real issue is whether organisations can prove who or what is trusted at each handoff. That shifts the governance burden onto identity lifecycle control, entitlement scope, and continuous monitoring across supplier connections. Practitioners should assume supplier trust is conditional and revocable.

Persistent footholds built from routers and IoT devices expose the weakness of perimeter-era assumptions. These devices are not merely endpoints, they are often unmanaged trust edges that defenders rarely inventory with the same discipline applied to user or workload identities. That creates a blind spot where adversaries can hide for long periods while appearing ordinary at the network layer. Practitioners should bring edge devices into the same governance model used for critical access paths.

Third-party risk management fails when offboarding and expiry are treated as administrative tasks instead of security controls. The article’s coverage reinforces that compromise is amplified when supplier access is broad, durable, and poorly traced. A named concept here is trust transitivity debt: the accumulated risk created when each new supplier relationship inherits prior trust without equivalent verification. Practitioners should reduce inherited trust before it becomes inherited exposure.

AI-enabled attack coverage signals a defender workload problem as much as a threat problem. Faster content generation, targeting, and infrastructure adaptation compress the time available to validate access and investigate anomalies. That does not change the core controls, but it raises the cost of slow review and manual exception handling. Practitioners should expect more pressure on continuous verification, automated triage, and identity-linked detection.

Identity teams have to own the external-access boundary in a way many programmes still do not. Where supplier access, API connectivity, and machine-to-machine trust intersect, IAM and PAM controls become the mechanism for making third-party risk measurable. The practical conclusion is straightforward: if you cannot enumerate, scope, and revoke the access, you do not control the trust relationship.

What this signals

Trust transitivity debt: as supplier ecosystems expand, organisations accumulate inherited trust faster than they can verify it. The result is a governance gap where access paths, support channels, and machine credentials outlive the original business justification. Security programmes should treat third-party trust as a lifecycle control, not a one-time approval, and align it with the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10.

The operational signal here is simple: if an external identity can still reach critical systems after its purpose changes, the programme is behind. Teams should expect more pressure to unify supplier onboarding, access review, and revocation in the same control plane, especially where NHI-style credentials and remote support accounts are involved. That is where identity governance becomes a supply chain control rather than a back-office process.


For practitioners

  • Inventory every external trust edge Build a single view of supplier identities, support accounts, API tokens, and device-originated access that can touch critical systems. Attach an owner, purpose, expiry, and offboarding workflow to each entry, and review exceptions separately from standard vendor approvals.
  • Reduce standing third-party access Replace persistent supplier access with task-scoped approval paths where possible, and require explicit reauthorisation for privileged actions. Focus first on remote support, production data access, and integration accounts that can traverse multiple environments.
  • Bring edge devices into risk scoring Include routers, home-office devices, and IoT assets in exposure analysis when they participate in corporate connectivity, remote access, or relay functions. Flag device classes that can be repurposed into proxy infrastructure or otherwise support concealment.
  • Tighten anomaly detection around access chains Correlate third-party logins, unusual geographies, repeated credential use, and atypical device behaviour so that hidden trust paths are visible earlier. Prioritise detections that show a supplier identity behaving like infrastructure rather than a human operator.

Key takeaways

  • Supply chain cyber risk now includes hidden trust paths created by external access, machine credentials, and compromised edge devices.
  • The LapDogs ORB coverage shows how attackers can use routers and IoT devices to build persistent espionage infrastructure that is hard to attribute and remove.
  • Practitioners should tighten third-party lifecycle controls, scope external access more narrowly, and monitor edge devices as part of the same trust model.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0003 , Persistence; TA0011 , Command and Control; TA0008 , Lateral MovementThe article centers on persistent proxy infrastructure and covert access chains.
NIST CSF 2.0PR.AC-4Third-party access governance is the main control issue in this coverage.
NIST SP 800-53 Rev 5AC-6Least privilege is critical when external identities can reach sensitive environments.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle control is central to managing external access and revocation.
NIST AI RMFMANAGEAI-enabled attack coverage makes operational control and monitoring more important.

Use MANAGE to define accountability for faster detection, triage, and access validation in AI-accelerated threat scenarios.


Key terms

  • Orb Network: A distributed network of compromised routers, IoT devices, or similar infrastructure used to relay attacker traffic and obscure source origin. These networks help adversaries persist, blend in, and expand reach without relying on a single exposed server or endpoint.
  • Trust Transitivity: The risk that trust granted to one party is implicitly inherited by others through integrations, support channels, or delegated access. In practice, it means a compromise in one supplier or device class can extend into environments that were never directly breached.
  • Third-Party Access Lifecycle: The process of approving, scoping, reviewing, and revoking external identities and connectivity over time. Strong lifecycle control ensures supplier access remains tied to a current purpose, can be monitored continuously, and can be removed cleanly when the relationship changes.

What's in the full article

SecurityScorecard's full coverage covers the operational detail this post intentionally leaves for the source:

  • The linked coverage index on the LapDogs ORB report and related media mentions.
  • Executive commentary on third-party risk management and supply chain cyber risk.
  • Links to Q2 podcast appearances and company news for deeper context on the broader programme.
  • Additional coverage references on AI-enabled attacks, third-party breaches, and critical infrastructure threats.

👉 SecurityScorecard's full coverage includes the LapDogs ORB reporting, executive commentary, and Q2 media references.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the wider security programme that governs third-party and workload access.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org