RED×BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Severe · Act Now

4 engagements

SEVERER-01↔B-01Spear-phishing of named senior executives via disclosed email patternHigh confidence

Red · Adversary VectorR-01

Spear-phishing of named senior executives via disclosed email pattern

Hunter's enumeration of {f}{last}@micron.com (ev_039) is high-confidence input to spear-phishing operations against named senior staff whose roles cover CHIPS Act, HBM yield, NVIDIA interface, and NAND process. The strong baseline email-auth posture (DMARC p=reject, SPF -all) constrains direct spoofing but not lookalike-domain or vendor-pivot campaigns. Very likely top-priority vector for any actor wishing to influence either the federal-funding negotiation or the HBM yield-recovery program.

Blue · Defensive ControlB-01

Enforce MFA + email-gateway sandboxing across all senior-executive accounts; expand DMARC monitoring

Maintain DMARC p=reject with continuous monitoring of Micron-dmarc@micron.com reports; require phishing-resistant MFA (FIDO2/WebAuthn) for all VP+ accounts and all CHIPS Act / HBM / NVIDIA-interface staff. Add lookalike-domain monitoring (typosquats of micron.com, micron-com.com, etc.) since the disclosed email pattern makes targeted campaigns trivial.

SEVERER-02↔B-02Targeted influence against named CHIPS Act liaisonModerate confidence

Red · Adversary VectorR-02

Targeted influence against named CHIPS Act liaison

The CHIPS Act federal-funding negotiation runs through a single named, publicly identifiable executive. Likely a high-leverage target for state or political-actor influence operations — disinformation, kompromat, lobbying-disclosure-leverage. Not strictly a cyber vector, but the corollary of the surfaced surface.

Blue · Defensive ControlB-02

Executive-protection program for CHIPS Act liaison

Apply executive-protection processes (out-of-band verification, communications hardening, financial-document handling, social-engineering awareness training) to ent_057 Jon Dickinson and any backup liaison. Build a documented continuity plan for the federal-funding interface so single-point-of-failure influence operations do not stall multi-billion-dollar decisions.

SEVERER-03↔B-03Supply-chain pivot via 22 confirmed enterprise SaaS dependenciesModerate confidence

Red · Adversary VectorR-03

Supply-chain pivot via 22 confirmed enterprise SaaS dependencies

DNS TXT-verified SaaS surface (ev_020) is an upstream attack path. Atlassian two-tenant footprint is the most concerning given collaboration-data exposure under cross-product compromise. OneTrust governs consent/privacy posture — a foothold there is reportable-incident sensitive.

Blue · Defensive ControlB-03

Vendor risk management for the 22 confirmed SaaS dependencies

Inventory and segment all 22 DNS-confirmed SaaS tenants (ev_020). For Atlassian specifically, audit both tenants for SSO+MFA enforcement, app-marketplace privileges, and cross-tenant federation. For OneTrust and MongoDB, audit data-access scope. Subscribe to vendor incident feeds for each.

SEVERER-05↔B-05Insider-recruitment targeting NAND/HBM/DRAM process leadershipModerate confidence

Red · Adversary VectorR-05

Insider-recruitment targeting NAND/HBM/DRAM process leadership

The 2018 UMC/Jinhua case is the historical precedent (ev_093) and CXMT's expanding patent depth (ev_087) describes the structural incentive. Named TD-NAND, DTG-HBM3E, and R&D leads (ent_069, ent_060, ent_067) are visible targets. Likely an active vector.

Blue · Defensive ControlB-05

Insider-threat program focused on process-engineering technology-transfer roles

Reinforce insider-threat controls for TD NAND Process Integration, DTG Process Integration, and Semiconductor R&D. DLP on process-spec documents, mandatory exit interviews for technology-transfer-eligible roles, alerting on unusual cross-border travel for affected job families. Coordinate with FBI Strategic Partnerships and CHIPS Act compliance.

Moderate · Plan Mitigation

4 engagements

MODERATER-04↔B-04Web-security header gaps on the corporate domainModerate

RedR-04

Web-security header gaps on the corporate domain

D-grade MDN scan with 2 failing tests creates exploit surface for DOM-XSS or click-jacking. Severity moderate because the underlying applications are unknown — likely a marketing surface rather than authentication-sensitive — but the optics are particularly bad given the CAC 2023 ban (ev_094) framed Micron as a cybersecurity risk.

BlueB-04

Remediate MDN Observatory findings on micron.com

Implement Content-Security-Policy with a strict default-src, X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin on the corporate domain. Re-test until grade A. Consider DNSSEC enablement to close the delegation gap (ev_044).

MODERATER-06↔B-06Regulatory-escalation lever built on CAC 2023 framingModerate

RedR-06

Regulatory-escalation lever built on CAC 2023 framing

PRC has a working playbook for cybersecurity-risk framing of Micron; escalation is a state-actor lever. Likely particularly relevant during HBM4 contract finalization.

BlueB-06

Government-relations playbook for additional China regulatory action

Maintain pre-prepared US government-relations playbook for additional Chinese regulatory action (additional CAC findings, customs delays, partner-pressure on Samsung/SK Hynix HBM allocation). Document supply-chain alternatives and customer-communication templates.

MODERATER-08↔B-07Construction-phase vendor-onboarding surface (Bechtel Clay NY)Moderate

RedR-08

Construction-phase vendor-onboarding surface (Bechtel Clay NY)

Vendor-onboarding chaos in a ~50,000-job site mobilization creates elevated phishing and BEC risk. Likely a transitory but elevated surface during 2026-H2.

BlueB-07

Bechtel mobilization vendor-onboarding controls

Apply tight vendor-onboarding controls during Bechtel mobilization: pre-registered Bechtel staff list, formal payment-verification workflow with out-of-band confirmation, restricted procurement domains, and continuous anti-BEC monitoring through the construction ramp.

MODERATER-09↔B-08Enterprise AI vendor compromise (Anthropic/Perplexity in fab automation)Low

RedR-09

Enterprise AI vendor compromise (Anthropic/Perplexity in fab automation)

DNS-confirmed enterprise AI deployments combined with an Engineering Automation VP creates a novel surface where AI-vendor compromise propagates into fab workflows. Low confidence because we have no evidence of actual exploit feasibility; flagged because the surface is structurally novel.

BlueB-08

AI-vendor data-handling governance

Formalize data-handling governance for Anthropic Claude and Perplexity enterprise deployments — prompt/response logging, PII/process-data classification, model-vendor incident-notification SLAs, and segregation between fab-automation workflows and general-purpose AI use.

Baseline · Surface-Wide

2 controls

B-09Baseline

Tabletop exercise for HBM customer-concentration shock

Run a quarterly tabletop exercising loss-of-NVIDIA-allocation scenarios (HBM4 displacement, contract renegotiation under political pressure, NVIDIA captive-fab scenario). Closes a strategic — not technical — risk on KJ-002.

B-10Baseline

Continuous IP/patent monitoring on Chinese competitors

Subscribe to EPO/USPTO continuous monitoring on CXMT (ent_078), Fujian Jinhua (ent_079), YMTC (ent_055) and their inventors. Trigger litigation/FRAND review on any high-overlap publication.