This is your Dragon's Code: America Under Cyber Siege podcast.

Name’s Ting. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.

This week, the Chinese state-aligned crews didn’t go loud, they went deep. At Cyber Week 2025 in Tel Aviv, CISA executive assistant director Nick Anderson told listeners that Chinese operators have already pre-positioned malware across U.S. water utilities, regional power grids, telecom backbones, cloud platforms, and even identity systems, all designed to sit dormant until a Taiwan or South China Sea crisis flips the “go” switch. According to Anderson, this is no longer classic espionage; it’s battlespace prep for instant chaos in daily American life.

Check Point’s new report “Threats to the Homeland: Cyber Operations Targeting US Government and Critical Infrastructure” backs that up, showing that roughly a third of nation‑state incidents hitting U.S. critical infrastructure since 2024 involved energy entities, with Chinese-linked “strategic access actors” burrowing into industrial control systems and SCADA environments. Their tradecraft is textbook China: living off the land, abusing identity, exploiting zero‑days, and riding supply-chain and managed service providers so they can pivot from a single compromised vendor into multiple utilities at once.

On the ground, utilities are discovering suspicious traffic paths flowing through Chinese‑made solar inverters and grid electronics. The Washington Post and The Independent, citing Strider Technologies, recently highlighted that about 85 percent of surveyed U.S. utilities rely on inverters tied to Chinese state-linked firms, and Reuters reporting described “rogue communication devices” in some units that could bypass firewalls and provide remote access into grid segments. One unnamed U.S. official put it bluntly: you don’t have to take down the entire Western Interconnection to panic America; a handful of synchronized blackouts will do.

Attribution is coming from a stack of signals: shared infrastructure and tooling with known Ministry of State Security clusters, overlaps with groups like Salt Typhoon that previously compromised at least nine U.S. telecoms, and telemetry from companies such as Check Point and other major threat intel shops showing the same Chinese nexus infrastructure re-used across energy, transport, and government networks. Beijing, for the record, calls all of this “groundless smears,” but the forensics, as my fellow nerds at CrowdStrike like to say, do not care about press statements.

Defenders aren’t standing still. CISA is pushing infrastructure operators to crank up logging and telemetry across OT and cloud identity, shift to secure‑by‑design architectures, and hunt proactively for China-linked pre‑positioning tools instead of waiting for alarms. Major utilities are segmenting OT from IT, ripping and replacing the riskiest foreign‑made inverters, and pressure is building in Congress for tighter procurement rules and mandatory reporting for critical infrastructure incidents.

The lessons this week? First, China isn’t just stealing data; it’s wiring in options for coercion. Second, identity and supply chain are the new front doors. And third, if you’re running water, power, or telecom in America and you still think you’re “too small to target,” congratulations, you are exactly the quiet little node a strategic access actor wants to own.

I’m Ting, thanks for tuning in, and don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta

This content was created in partnership and with the help of Artificial Intelligence AI

This is your Dragon's Code: America Under Cyber Siege podcast.

Dragon’s Code is humming this week, listeners, and I’m Ting, your friendly neighborhood China-and-cyber nerd, here to walk you through how America just spent seven days under quiet, methodical digital siege.

Let’s start where it hurts: U.S. critical infrastructure. According to the Cybersecurity and Infrastructure Security Agency and the NSA, Chinese state-sponsored operators tied to groups like Warp Panda and UNC5221 have been living inside VMware vSphere and vCenter environments using a custom Go-based backdoor called BrickStorm. CISA reports they sat inside one U.S. network from April 2024 all the way to September 2025, owning vCenter, domain controllers, and an ADFS server, even exporting cryptographic keys. That’s not a smash-and-grab; that’s pre-positioning for turning off the lights when geopolitics get spicy.

The attack methodology is pure “quiet dragon.” BrickStorm blends into normal traffic using DNS-over-HTTPS, masquerades as vCenter processes, and in some samples even acts as a SOCKS proxy so they can pivot deeper. Security strategist Gabrielle Hempel at Exabeam warns that once an adversary owns your hypervisor, your EDR and SIEM go basically blind, because the attacker is above the operating system, not inside it.

Attribution isn’t just vibes and Mandarin-speaker stereotypes. The government advisory ties the implants, infrastructure, and tradecraft to known PRC state-linked clusters, and AWS Security backs this up in a separate report by noting that many of the same anonymization networks and IP ranges show up again in a different campaign: the React2Shell frenzy.

React2Shell, formally CVE-2025-55182, is a critical remote code execution flaw hitting React and Next.js stacks. Amazon’s CISO C.J. Moses says Chinese state-nexus actors were hammering it within hours of public disclosure, using AWS’s MadPot honeypots as their playground. TechRadar and GovInfoSecurity report multiple China-based teams, including Earth Lamia and Jackpot Panda, rapidly grabbing public proof-of-concept code, then chaining React2Shell with other N-days in broad, automated campaigns against finance, logistics, retail, IT providers, and universities. One unattributed China-linked cluster even spent nearly an hour manually debugging live exploitation attempts, which is the hacker equivalent of pair-programming your own zero-day party.

Meanwhile, Security Boulevard and daily cyber briefings note a spike in Chinese-origin brute-force and credential-stuffing against Palo Alto GlobalProtect VPN portals. No exotic zero-day here—just massive password-sprays and MFA fatigue attacks, then lateral movement and data theft once someone reuses “Summer2024!” on a critical gateway.

Defensively, it’s been all hands on deck. CISA and NSA pushed detailed indicators of compromise and BrickStorm signatures, urging operators to isolate management consoles, strip public IP exposure from vCenter, hunt for rogue local admins and weird scheduled tasks, and rotate federation keys. AWS rolled out Sonaris active defense, WAF managed rules, and extra perimeter controls around React2Shell, while still basically yelling: “Patch, don’t pray.” On the policy side, the new National Defense Authorization Act shovels billions into U.S. Cyber Command and broader DoD cyber operations, and orders harmonized requirements for defense contractors—because none of this works if your power grid runs on unpatched lab gear and hope.

The lessons? First, China isn’t just stealing intellectual property anymore; it’s shaping the battlespace. Critical infrastructure is the new high ground. Second, speed is the battlefield: they operationalized React2Shell within hours; most enterprises still schedule patching for “next quarter.” Third, hypervisor-layer attacks mean defenders have to monitor the control plane, not just endpoints—think vCenter...

This is your Dragon's Code: America Under Cyber Siege podcast.

Hey listeners, Ting here. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.

This week’s headline act is a Chinese state‑sponsored campaign built around a malware family U.S. and Canadian agencies are calling Brickstorm. According to the joint advisory from CISA, NSA, and the Canadian Centre for Cyber Security, these operators have been quietly living inside critical infrastructure and IT providers for months, sometimes years, without tripping alarms. Reuters reporting on the advisory says one victim was compromised in April 2024 and the access was still live on September 3rd, 2025. That is nation‑state patience.

Methodology first, because that’s the fun part. The Brickstorm crews are breaking in through vulnerable virtualization stacks, especially Broadcom VMware vSphere, the software that runs fleets of virtual machines in data centers. Once they get a toe‑hold on a hypervisor, they deploy Brickstorm to harvest credentials, pivot laterally, and then sink deep hooks for persistence. Think stolen admin passwords, tampered logs, and backdoored management interfaces that let them effectively “own” every guest system on that host. A Broadcom spokesperson has already urged customers to patch aggressively and lock down vSphere management planes.

What’s getting hit? The joint advisory describes “government services and information technology entities,” but the real worry in Washington is the downstream blast radius into critical infrastructure: power grid operators whose control systems run on virtualized servers, hospitals whose electronic medical record systems share those same hypervisors, and logistics providers whose OT gateways sit one misconfigured VLAN away. Homeland Security Today’s coverage of the advisory frames it bluntly as a warning to critical infrastructure owners, not just generic IT shops.

On attribution, CISA acting director Madhu Gottumukkala says these are Chinese state‑sponsored operators embedding themselves for “long‑term access, disruption, and potential sabotage.” Analysts point to tool overlap with earlier PRC campaigns, infrastructure patterns consistent with known Chinese clusters, and the strategic targeting of platforms that underpin national‑level services. Beijing’s embassy in Washington, through spokesperson Liu Pengyu, has denied everything, insisting China does not encourage or support cyber attacks and accusing the U.S. and Canada of making “irresponsible assertions” without evidence. Classic diplomatic duel: technical indicators on one side, political denials on the other.

Defensive moves have come fast. CISA has pushed out hardening guidance for VMware vSphere, pushed sector‑wide alerts, and tied this to its broader critical infrastructure push. At the same time, the new Trump administration’s upcoming six‑pillar national cybersecurity strategy, previewed by National Cyber Director Sean Cairncross at the Aspen Cyber Summit, is leaning into “shaping adversary behavior” and “introducing costs and consequences.” That’s code for more forward‑leaning offense, tighter regulation on critical infrastructure, and a bigger emphasis on OT security where these virtualization stacks intersect with physical systems.

Industrial security experts quoted by Industrial Cyber, like Sinclair Koelemij and Judy Nadera, are warning that as Chinese operators move closer to field‑level devices in industrial control systems, attacks like Brickstorm become more than data theft—they become levers for physical sabotage. Their takeaway: visibility down to Levels 0–2, passive monitoring, and secure‑by‑design PLCs are no longer nice‑to‑have; they’re survival gear.

Lessons learned for all of you running real networks: virtualization is not a security blanket; hypervisors are crown jewels. Patch vSphere, lock admin access behind strong identity, segment...