Edge Under Siege: How NZ Businesses Can Defend Against State-Sponsored Perimeter Attacks

Your organisation's perimeter isn't what it used to be. Firewalls, VPN concentrators, email gateways, and routers — the very devices meant to keep attackers out — are increasingly the targets themselves. A recent Trend Micro analysis paints a sobering picture: state-sponsored threat actors are systematically exploiting edge infrastructure to establish persistent footholds inside corporate networks.

For New Zealand businesses — many of whom rely on a mix of cloud services, remote work VPNs, and hosted email — this isn't a distant threat. It's a present-day risk that demands attention.

What's Happening at the Edge?

Edge devices are attractive targets because they sit exposed to the internet by design, often run proprietary firmware that's hard to patch, and typically lack the endpoint detection tools deployed on laptops and servers. Attackers who compromise an edge device can:

  • Intercept traffic, credentials, and emails flowing in and out

  • Establish persistent backdoors that survive reboots

  • Pivot laterally into internal networks undetected

  • Stage supply-chain attacks against downstream partners

Groups like Volt Typhoon, APT28, and others named in the Trend Micro report have been linked to campaigns targeting SOHO routers, SSL VPNs (Fortinet, Ivanti, Cisco), and even email security appliances.

Why This Matters for New Zealand

New Zealand's CERT NZ and the NCSC have repeatedly warned about state-sponsored activity targeting local organisations — particularly those in critical infrastructure, government supply chains, primary industries, and professional services. A small Wellington law firm or an Auckland logistics provider can be a stepping-stone into a bigger target.

And because edge compromises often begin with phishing or credential theft before the device exploit, your email perimeter is frequently the first line of defence.

7 Practical Steps to Harden Your Perimeter

Here's a prioritised checklist any NZ business can work through — regardless of size.

1. Inventory Every Edge Device

You can't defend what you don't know exists. List every:

  • Firewall and VPN appliance

  • Router (including branch and home-office units)

  • Email gateway or security appliance

  • Remote access tool

  • Internet-facing server

Record firmware versions, admin accounts, and last patch dates.

2. Patch Aggressively — Especially Edge Firmware

The Trend Micro report highlights that many compromises exploit known vulnerabilities with available patches. Set a rule: critical edge-device patches within 7 days, ideally 72 hours. Subscribe to vendor advisories and CERT NZ's alert feed.

3. Kill Default and Shared Credentials

Rotate admin passwords on every edge device. Enforce MFA on admin consoles. Disable any default accounts that cannot be removed, and monitor login attempts.

4. Lock Down Your Email Perimeter with SPF, DKIM and DMARC

Email is still the #1 initial access vector. If your domain isn't properly authenticated, attackers can impersonate you to staff, customers, and suppliers — harvesting the very credentials used to access edge devices.

A baseline SPF record for a business using Microsoft 365:

yourdomain.co.nz.  IN  TXT  "v=spf1 include:spf.protection.outlook.com -all"

A starter DMARC record (monitor mode):

_dmarc.yourdomain.co.nz.  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.co.nz; fo=1"

Once you've reviewed reports and confirmed legitimate senders, tighten to enforcement:

_dmarc.yourdomain.co.nz.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.co.nz; adkim=s; aspf=s"

Don't forget DKIM — enable it in your email platform and publish the selector record your provider gives you.

5. Segment Your Network

Assume an edge device will be compromised. Network segmentation ensures that a breached VPN concentrator can't freely reach your finance systems or domain controllers. Use VLANs, internal firewalls, and zero-trust access policies.

6. Monitor Outbound Traffic

State-sponsored actors prize stealth. They'll often blend command-and-control traffic with legitimate flows. Set up egress logging, flag unusual destinations, and watch for DNS anomalies — especially from edge devices that shouldn't be initiating outbound connections.

7. Have an Incident Response Plan

Document who to call (CERT NZ on 0800 2378 69), how to isolate devices, and how to communicate with customers if an incident occurs. Test it annually.

The Email–Edge Connection

It's worth stressing why email authentication is central to perimeter defence. In most state-sponsored campaigns documented by Trend Micro and others, the kill chain begins with:

  1. Reconnaissance — attackers identify staff and suppliers

  2. Phishing — often spoofing your domain or a trusted partner's

  3. Credential theft — harvested via fake login pages

  4. Edge device login — using stolen VPN or admin credentials

  5. Exploitation and persistence — deploying implants on the device

Strong SPF, DKIM, and DMARC configurations break step 2. Without them, attackers can impersonate your domain or supplier domains with alarming ease — and no firewall patch will save you from an employee who typed their password into a convincing fake.

A Realistic Starting Point for Kiwi SMBs

If you're a small business and this feels overwhelming, start here this week:

  • Enable MFA on every email account and admin console

  • Check your SPF, DKIM and DMARC records

  • Patch your router and firewall firmware

  • Write down your 3 most critical edge devices and who's responsible for them

Perfection isn't the goal — steady improvement is. Even modest hardening dramatically raises the cost for an attacker, and most will move on to softer targets.

Check Your Email Perimeter in 30 Seconds

Not sure whether your domain's email authentication is actually protecting you? xteam's free MailCheck tool instantly analyses your SPF, DKIM, DMARC, and BIMI records and shows you exactly what to fix — no signup required.

Your edge is under siege. Make sure your email perimeter isn't the door left wide open.

Further reading: Trend Micro — Edge Under Siege and CERT NZ advisories.