When the Supply Chain Is the Target

The F-35 Lightning II is the most capable fighter aircraft Australia operates. It is also, deliberately, the product of international collaboration — nineteen nations contributed to its development, fifteen percent of its components are manufactured in the United Kingdom, and its global supply chain passes through ports, airports, and industrial facilities across three continents. That global footprint is a strategic asset. It is also a strategic vulnerability.

In November 2023, Danish activists launched coordinated actions against the Terma Group, a manufacturer of F-35 components. Within months, similar campaigns had spread to the United Kingdom, the United States, Australia, and across Europe. By mid-2024, a clearly organised, internationally coordinated movement was targeting the F-35 supply chain at every node it could identify — ports that handle component shipments, airports that move parts between facilities, manufacturers with contracts in the programme, and the logistics companies that connect them.

This is not a future threat scenario. It is a documented, ongoing campaign that activist organisers have explicitly described as a long-term effort to “chip away” at defence production capacity. And critically — they have done the supply chain mapping. They know which ports handle which components, which shipping companies move parts between manufacturers, which airports process outbound shipments.

Are you watching for this threat with the same systematic attention that the people planning it are applying to you?

The Anatomy of a Supply Chain Attack Campaign

Understanding how these campaigns operate is the foundation of understanding where intelligence can intervene.

The escalation pattern is consistent. Campaigns begin with lawful protest activity and, in some cases, escalate toward direct disruption of physical facilities, production, and logistics. The intelligence to distinguish these trajectories is present in open-source data throughout the process.

The Multi-Node Problem

A conventional security program for a defence industry supplier is designed around a single facility: monitor access, manage the perimeter, respond to incidents. This model is inadequate for supply chain attack threats for a specific reason: the attackers are not targeting a single facility. They are targeting the network.

The F-35 supply chain in Australia involves multiple entities — tier one suppliers with direct programme contracts, tier two suppliers providing components and materials, and logistics providers that move parts through ports, airports, and freight corridors. A campaign that has mapped this network can apply pressure at whichever nodes are currently most vulnerable, and can coordinate simultaneous actions across multiple sites to overwhelm security responses sized for single-site incidents.

This tactic is explicitly described in activist campaign communications. One organiser — speaking publicly at a national DSA meeting — explained that the goal was to “identify local targets, whether that's a port, whether that's an airport, and then organise workers around those targets,” seeding simultaneous campaigns through local and national trainings across the country.

CRIMP's monitoring does not operate site by site. When the same campaign network is discussing multiple Australian programme participants, ports, and logistics nodes simultaneously, that pattern is visible as a whole — not fragmented across separate security teams each looking at their own piece.

What CRIMP Can See

The systematic research and coordination that precede supply chain attacks leaves a rich trail in publicly accessible data. CRIMP monitors the online environments where this coordination occurs — social media platforms, campaign pages, political forums, public event records — against watchlists of your programme, your facilities, and the entities in your supply chain.

This includes early-stage signals: a campaign account beginning to post about a specific manufacturer. Mid-stage signals: logistics research appearing in activist forums referencing your ports or shipping routes. Late-stage signals: participant mobilisation and action coordination naming specific facilities and dates. Link analysis maps the connections between accounts, organisations, and their targets — so when the same activist network that previously targeted facilities in the UK and US begins researching Australian programme participants, that connection is visible as part of a mapped campaign network with a documented history of escalation.

The Intelligence Advantage

The organisations behind these campaigns openly acknowledge that their advantage lies in information. They have mapped the supply chain. They have identified the logistics nodes. They have built networks capable of simultaneous coordinated action across multiple jurisdictions. The information asymmetry they have established is the foundation of their operational effectiveness.

CRIMP addresses that asymmetry directly. An operator who can see the campaign planning, the target selection, the coordination, and the physical approach signals in real time has eliminated the information advantage that makes these campaigns effective. That visibility cannot be achieved through a conventional security posture oriented around perimeter response. It requires intelligence — continuous monitoring of the online environments where these threats are planned, correlated with the physical signals that confirm an operation is underway.

Working with Programme Security and Law Enforcement

Supply chain attacks targeting a sovereign defence programme are not ordinary security incidents. They involve entities and tactics that intersect with national security interests, and the response framework requires coordination with relevant programme security authorities.

When a credible threat to a programme participant is identified, CRIMP's reporting workflow produces a structured briefing ready for the relevant state or federal law enforcement agency. That briefing documents the campaign network, the specific threat signals, the timeline, and the link analysis connecting actors across multiple jurisdictions. A phone call reporting suspicious activity the morning of an incident is not an intelligence product. A structured briefing delivered days before the action date is. That difference determines whether law enforcement can mount a prepared response or a reactive one.

SOCI Act Obligations

Defence industry entities that are responsible entities under the SOCI Act carry Critical Infrastructure Risk Management Program (CIRMP) obligations across physical security, personnel security, supply chain, and cyber hazard domains. Coordinated campaigns targeting the physical integrity of supplier operations and logistics nodes fall squarely within the physical hazard domain. The threat to Australia's defence supply chain is not merely foreseeable — it is documented, ongoing, and publicly described by its organisers in terms that make clear they intend to continue and escalate. CRIMP's OSINT and geospatial monitoring provides both the capability and the documentation that a compliant, defensible CIRMP requires.