THE VISIBLE AND THE DARK: What Hostile Reconnaissance Systems Actually See When They Scan Military Networks

───────────────────────────────────────────────

BORDER CYBER GROUP — DEEP DIVE Monday, June 16, 2026 By Jonathan Brown

The JDY botnet story from this week's feed contains a question embedded in plain sight. Lumen's Black Lotus Labs reports that the China-nexus scanning infrastructure associated with Volt Typhoon is heavily targeting IP addresses registered to U.S. military and defense-affiliated networks. The reasonable reader response is: why would genuinely sensitive military systems be visible on the open internet to begin with? Aren't those networks classified? Air-gapped? Isn't the whole architecture designed to prevent exactly this?

The answer is layered, and the layers matter. What follows is an attempt to work through what RFC 1918 private address space actually is, how the U.S. and NATO manage the boundary between classified military infrastructure and the open internet, what hostile reconnaissance systems actually manage to see, and what the DoD is doing with the IP space that is deliberately exposed. The picture that emerges is more deliberate, and more operationally interesting, than the conventional framing of "scanning military networks" suggests.

WHAT RFC 1918 IS AND WHY IT EXISTS

In the early 1980s, when the architects of the internet were allocating IP addresses, the system they were building for DARPA had maybe a few thousand nodes. The 32-bit IPv4 address scheme they settled on provides approximately 4.3 billion unique addresses, which seemed effectively infinite. By the early 1990s it was already clear that was wrong. The internet had grown explosively, and at the existing rate of allocation, the entire IPv4 address space would be exhausted before the decade was out.

The solution the IETF produced in 1996 was RFC 1918 — "Address Allocation for Private Internets." The document is short and its logic is elegant. The problem is not that there are too few IP addresses in the world. The problem is that every device that communicates across the global internet requires a globally unique IP address — one that no one else is using simultaneously. But the vast majority of networked devices never actually need to communicate with the global internet directly. An HR workstation in a company's internal network needs to reach the payroll database in the same building, not a server in Tokyo. A factory floor sensor needs to report to the plant's control system, not to the open internet.

RFC 1918 formalizes this insight by reserving three blocks of IPv4 address space for private use that will never be globally routed:

10.0.0.0 to 10.255.255.255 — a single Class A block of approximately 16.7 million addresses. 172.16.0.0 to 172.31.255.255 — a Class B range of approximately 1 million addresses. 192.168.0.0 to 192.168.255.255 — a Class C range of approximately 65,000 addresses.

Critically: these addresses have no global meaning. Internet routers are configured — by convention and by explicit policy — to drop any packet whose source or destination falls in these ranges when that packet attempts to cross between networks. RFC 1918 address space cannot be reached from the open internet, and packets from RFC 1918 space cannot traverse the internet backbone. They are, structurally, invisible to the outside world.

This invisibility is the feature. An organization that assigns RFC 1918 addresses to its internal systems gets a massive private address space to work with — 10.0.0.0/8 alone gives you room for 16 million hosts — without any of those systems being directly reachable from outside. When an internal host needs to reach an external resource, it does so through Network Address Translation (NAT): a gateway device translates the private internal address to a single publicly visible IP address for the outbound connection, and back again when the response arrives. From the external internet's perspective, thousands of internal hosts all appear to originate from the same handful of public IPs.

For adversarial reconnaissance, RFC 1918 space is functionally a black box. You cannot scan it from the outside. You cannot enumerate it from the outside. You cannot determine anything about what's inside. The only way to see RFC 1918 space is to already be inside the network — or to have compromised a device that is.

This is the architecture that underlies every private corporate network, every home router, every cloud virtual network, and — at significantly greater scale and with considerably more rigorous enforcement — the internal networking architecture of military installations worldwide.

THE MILITARY NETWORK STACK

Understanding what hostile reconnaissance sees requires understanding what the U.S. military's network architecture actually looks like. The broad outlines are publicly documented in unclassified DoD policy documents, DISA publications, and congressional budget justifications.

The Department of Defense operates multiple parallel networks, physically and logically separated from each other, each carrying information at a different classification level. The three primary networks are:

NIPRNet — the Non-classified Internet Protocol Router Network — carries Controlled Unclassified Information (CUI) and sensitive but unclassified operational data. It provides controlled, monitored access to the public internet through a limited number of approved gateway points. NIPRNet is where the overwhelming bulk of DoD's day-to-day administrative, logistics, and non-operational communications run.

SIPRNet — the Secret Internet Protocol Router Network — carries information classified at the Confidential and Secret levels. It is physically and logically separated from NIPRNet, and from the public internet, by hardware-enforced boundaries. Crossing the gap between SIPRNet and NIPRNet requires a Cross Domain Solution (CDS) — a hardware-enforced, DoD-approved device that controls precisely what data can move between the two environments. SIPRNet has no direct path to the open internet.

JWICS — the Joint Worldwide Intelligence Communications System — operates at the Top Secret and Sensitive Compartmented Information (TS/SCI) level. JWICS is the network where the intelligence community's most sensitive traffic flows. Physical access controls, personnel clearances, and architectural separation are correspondingly more stringent.

All three networks are operated under the authority of the Defense Information Systems Agency (DISA) as components of the broader Defense Information Systems Network (DISN). The DISA MPLS backbone — Multi-Protocol Label Switching — carries traffic between installations and across the globe, providing the high-speed transport layer that connects military bases, combatant commands, embassy facilities, and deployed units.

MPLS is worth pausing on because it is a primary tool for traffic obfuscation at the network layer. In a conventional IP network, routing decisions are made at every hop based on the destination IP address — each router looks at the packet's destination and decides where to send it next. In an MPLS network, packets are labeled at the edge of the network with a short fixed-length tag, and all forwarding decisions inside the core are made based on that label, not on the IP header. This has a security consequence: an observer with visibility into MPLS core traffic cannot infer source or destination IP addresses from packet routing behavior. The IP layer is encapsulated inside MPLS labels that are only meaningful to the carrier's internal routing infrastructure. Commercial service providers use this architecture for enterprise VPN services; DoD uses variants of it for secure WAN transport between installations.

The physical boundary between all of this classified and sensitive-but-unclassified infrastructure and the public internet is enforced through the NIPRNet Internet Access Points (IAPs) — a deliberately limited number of hardened gateway sites where NIPRNet traffic is permitted to cross to the open internet under strict monitoring. Traffic destined for the public internet exits through one of these IAPs. Traffic arriving from the internet enters only through the same chokepoints, where it is inspected before being permitted onto NIPRNet. SIPRNet and JWICS have no equivalent gateway — there is no approved path from those networks to the public internet at all.

For forward-deployed forces — units operating in the field rather than at fixed installations — the connectivity picture is more complex. Tactical units connect back to the DISN through Standardized Tactical Entry Points (STEP), a network of 14 SATCOM teleport facilities worldwide that provide real-time NIPR, SIPR, and voice connectivity over both military and commercial satellite links. These links use COMSEC and TRANSEC devices — communications security and transmission security hardware — to encrypt and protect traffic in transit, even when that traffic is riding over commercial satellite capacity that adversaries may be able to observe at the RF level.

What this architecture means for reconnaissance: NIPRNet itself is not the public internet. Its internal RFC 1918 address space is dark from the outside. What is visible is the public IP addresses assigned to the IAPs and to DoD's administratively registered public blocks — the addresses DoD uses for its externally accessible services: public-facing websites, email gateways, unclassified contractor portals, and similar infrastructure. SIPRNet and JWICS are not visible at all.

THE PUBLICLY VISIBLE SURFACE — AND WHAT IT ACTUALLY IS

The DoD holds a substantial allocation of publicly registered IPv4 address space. The most well-known is the 214.0.0.0/8 block — the entire 214.x.x.x range — registered to the DoD Network Information Center in ARIN records. This is a matter of public record. Anyone can run a WHOIS query against any 214.x.x.x address and receive a response indicating DoD ownership. Additional DoD blocks are similarly documented.

Here is the asymmetry that matters: the fact that an IP address block is registered to the DoD in ARIN tells you nothing meaningful about what is actually running on it, or whether anything is running on it at all. For decades, most of these registered DoD blocks were dark — the addresses existed in administrative records but were not advertised in the Border Gateway Protocol (BGP) routing tables that tell internet routers how to reach various address ranges. Dark address space is unreachable: you can scan it and get no response, because internet infrastructure does not know how to route packets to addresses that no one is advertising.

This changed in a notably visible way in January 2021, when a previously unknown Florida company called Global Resource Systems LLC began advertising massive swaths of DoD-registered IP space in the global BGP routing table. Starting at the moment of the Biden inauguration and expanding over three months, Global Resource Systems eventually advertised nearly 175 million DoD IP addresses — approximately 6 percent of the entire IPv4 internet. The networking community noticed immediately. The addresses had been dark for decades; now they were receiving traffic from anywhere on the internet.

The Defense Digital Service eventually acknowledged the program. Director Brett Goldstein described it as a pilot effort to "assess, evaluate and prevent unauthorized use of DoD IP address space" and "identify potential vulnerabilities." The explanation was terse and left substantial questions unanswered, including why a shell company with no apparent public web presence and no history of federal contracts had been chosen as the vehicle. What the program was clearly doing, at minimum: by advertising dark DoD address space and routing all resulting traffic to DoD-controlled servers, the Defense Digital Service was building the world's largest passive collection apparatus for internet scanning traffic. Anyone scanning the internet — vulnerability researchers, intelligence services, botnet operators, nation-state reconnaissance infrastructure — would be sending packets into a system that could log every probe and build a comprehensive picture of who was scanning what, from where, with what tools.

This is not a honeypot in the classical sense of a system configured to appear vulnerable in order to lure attackers into revealing their techniques. It is closer to a passive sensor grid: dark address space that, when lit up and pointed at DoD-controlled collection infrastructure, reveals the full scope of global internet scanning activity simply by recording every unsolicited packet that arrives. The targeting data it generated — which addresses were being probed, from which source IPs, with which scanning signatures, at which cadence — is exactly the kind of intelligence that feeds threat actor attribution and infrastructure tracking.

When Lumen's Black Lotus Labs reports that JDY botnet activity is concentrated on DoD-registered IP space, what they may be observing is not reconnaissance of live military systems. They may be observing a China-nexus scanning infrastructure methodically probing addresses that are either: dark (returning nothing, but logged); running monitoring infrastructure (returning controlled responses, fully logged); or hosting genuinely externally accessible DoD administrative services (the targets that would actually matter to an adversary). The intelligence community cannot confirm from the outside which is which — and that ambiguity is itself an operational feature.

WHAT HOSTILE TARGETING SYSTEMS ACTUALLY REACH

So what does a reconnaissance system like JDY actually manage to hit when it targets the DoD's publicly visible IP footprint?

The honest answer is: the administrative and logistics surface, not the operational one.

The externally accessible DoD IP space — the addresses that are actually routed, advertised, and reachable from the open internet — hosts genuinely real infrastructure. Public-facing websites (.mil domains), email gateways for unclassified DoD communications, unclassified contractor portals, recruiting systems, logistics scheduling interfaces, and the public-facing components of defense industrial base suppliers are all real targets on real addresses. Compromising some of these systems provides real value to an adversary: contractor credentials that may work elsewhere, document stores containing procurement information, supply chain data, personnel records, and unclassified operational schedules. The distinction between "unclassified" and "not sensitive" is one that adversaries understand better than the systems administrators who sometimes collapse it.

NIPRNet's external-facing infrastructure — the IAPs and the systems visible from them — is the next layer. This is more hardened than the public-facing .mil web presence, but it is still a surface that can be probed. Network-level scanning against DoD IP ranges will find open ports, identify services, fingerprint software versions, and note configurations. The value here is in mapping the administrative network's exposed edges — finding VPN gateways, authentication portals, email systems, and network management interfaces that, if compromised, provide a foothold into NIPRNet. From NIPRNet, lateral movement toward more sensitive systems becomes theoretically possible, though the Cross Domain Solutions enforcing the boundary with SIPRNet are hardware-enforced barriers, not software policies.

What hostile scanning definitively cannot reach from the open internet: SIPRNet. JWICS. The RFC 1918 interior of any military installation's local network. Forward-deployed tactical networks. Any system running exclusively on internal address space without an approved, monitored gateway connection to NIPRNet.

The threat model that actually concerns serious analysts is not that JDY scans a registered DoD IP block and achieves remote code execution on something sensitive. The threat model is the reconnaissance-to-targeting pipeline: JDY identifies which DoD-adjacent contractors, which defense industrial base suppliers, which logistics platform providers, and which unclassified administrative systems have exploitable services. Those findings feed downstream operators who execute targeted intrusions through supply chain vectors, credential theft, or spear-phishing — approaches that work against the human and software layer rather than the network perimeter. SolarWinds, the Microsoft Exchange ProxyLogon and ProxyShell campaigns, the Barracuda ESG exploitation: these are the operational templates. You don't scan your way past a hardware air gap. You find a trusted system that already has an approved connection across it and compromise that instead.

The JDY botnet's documented focus on scanning shortly after CVE disclosures makes this pipeline explicit. JDY is not trying to exploit those vulnerabilities directly against military systems. It is identifying which external systems in the defense ecosystem are running unpatched software — information that a downstream operator with more sophisticated tooling can then target specifically. Reconnaissance and exploitation are separated by time and by actor; the botnet does the mapping and passes it up.

HOW NATO ALLIES HANDLE THE SAME PROBLEM

The NATO alliance faces a structurally identical challenge, managed with broadly compatible architectural principles and significant variation in implementation quality across member nations.

NATO maintains its own classified network infrastructure — the NATO Secret Wide Area Network (NS WAN) — which operates at the NATO SECRET classification level and is physically separated from member nations' public-facing networks and from the open internet. Like SIPRNet, it has no direct public internet gateway. Communications across alliance members at the classified level travel over NS WAN. Unclassified but sensitive coordination uses NATO's unclassified network infrastructure.

The variation across NATO member states is the vulnerability. A large, well-resourced member — the United States, the United Kingdom, France, Germany — maintains defensive depth and consistent enforcement of network boundaries comparable to the U.S. DoD model. Smaller members with more constrained IT budgets and less specialized cybersecurity capacity present a softer target. An adversary attempting to find an entry point into NATO shared infrastructure does not need to defeat the strongest member's defenses. It needs to find the member whose contractor credential management, patch cadence, or network boundary enforcement is weakest.

This is precisely the pattern documented in documented NATO-adjacent intrusions: the 2007 Estonia attacks; the 2008 Georgia campaign; the persistent targeting of Eastern European military and government networks attributed to Russia's APT28 and Sandworm; the sustained targeting of defense industrial base suppliers in Poland, the Baltic states, and Romania. The goal is not penetrating classified NATO infrastructure directly. It is finding the path that runs through a less defended node in the alliance ecosystem.

Forward-deployed NATO forces operating in contested or near-peer environments face an additional layer of complexity. Tactical networks at forward positions have to balance two competing requirements: operational security, which demands minimal electronic signature and minimal connectivity to systems an adversary might intercept or exploit; and operational effectiveness, which demands real-time connectivity to intelligence feeds, logistics systems, fire support coordination, and command communications. Satisfying both simultaneously requires frequency-hopping SATCOM, over-the-air encryption, COMSEC-protected radio links, and deliberate traffic shaping to prevent an adversary from inferring operational activity from connection patterns even when the content is encrypted.

The adversary's approach to this problem is not primarily technical. Traffic analysis — observing when and how much encrypted traffic flows even without reading its content — can reveal operational tempo, command relationships, and unit movements. This is why serious military network operations in contested environments include not just encryption but active traffic normalization: generating consistent background traffic volumes regardless of operational activity to deny the adversary the ability to infer what is happening from the signal envelope alone.

THE HONEST LIMITS OF WHAT WE CAN SAY

This article has drawn entirely on publicly documented sources: DISA unclassified policy documents, DoD budget justifications, published network security research, the 2021 Global Resource Systems story as reported by the Washington Post, The Register, and Kentik's public analysis, Lumen's Black Lotus Labs reporting on JDY, and the published literature on MPLS and BGP security.

That sourcing constraint is worth being explicit about, because it defines exactly where the analysis has to stop.

What we know from public sources: the broad architectural separation between NIPRNet, SIPRNet, and JWICS; the existence and function of the IAPs; the use of MPLS for transport; the SATCOM and STEP infrastructure for forward-deployed connectivity; the 2021 DoD passive sensor program; the JDY botnet's targeting behavior as documented by Lumen.

What we cannot say from public sources: the specific nature of DoD's current defensive monitoring infrastructure deployed across its registered IP space; which specific addresses in the DoD's public blocks are live versus dark versus actively monitored; the actual attribution of the exploitation activity observed against DoD-adjacent targets in any specific period; the internal architecture of any classified network.

The analytical inference that is most defensible from the public record is this: when Lumen reports that JDY botnet activity concentrates heavily on U.S. military-registered IP space, they are most likely observing a combination of three things. First, scanning of genuinely accessible DoD administrative and logistics infrastructure, which provides real targeting intelligence for downstream operators. Second, scanning of deliberately exposed DoD monitoring infrastructure — the successor to the Global Resource Systems program, whatever form that now takes — which feeds real-time data on adversary scanning behavior back to DoD. Third, scanning of dark address space that returns nothing to the scanner but is logged against the scanner's infrastructure.

The question of which category any given probe falls into is exactly the question the DoD's monitoring infrastructure is designed to answer, and exactly the question hostile actors cannot answer from the outside. That ambiguity is not a failure of military network security. It is one of its more effective features.

──────────────────

Jonathan Brown | Border Cyber Group bordercybergroup.com Independent cybersecurity research and investigative journalism. If this work is valuable, consider supporting BCG directly.

SOURCING NOTE

All claims in this article are drawn from publicly available sources. These include: RFC 1918 (IETF, 1996); DoD Instruction 8010.01 (Department of Defense Information Network); DISA Connection Process Guide (unclassified version, public domain); DISA DISN overview and STEP documentation (publicly available procurement documents); Lumen Black Lotus Labs JDY botnet report (June 2026); Washington Post, The Register, and Kentik analysis of the Global Resource Systems/DoD IP address advertisement (April–September 2021); Defense Digital Service statement from Director Brett Goldstein (April 2021); Naval Postgraduate School honeypot thesis (Henderson and Blake, public NPS faculty repository); published literature on MPLS VPN security (RFC 4381, RFC 5920); electrospaces.net documented analysis of U.S. military network architecture based on public DoD documents. No classified information has been used or inferred.