This is your Dragon's Code: America Under Cyber Siege podcast.

Hey listeners, Ting here. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.

This week’s headline act is a Chinese state‑sponsored campaign built around a malware family U.S. and Canadian agencies are calling Brickstorm. According to the joint advisory from CISA, NSA, and the Canadian Centre for Cyber Security, these operators have been quietly living inside critical infrastructure and IT providers for months, sometimes years, without tripping alarms. Reuters reporting on the advisory says one victim was compromised in April 2024 and the access was still live on September 3rd, 2025. That is nation‑state patience.

Methodology first, because that’s the fun part. The Brickstorm crews are breaking in through vulnerable virtualization stacks, especially Broadcom VMware vSphere, the software that runs fleets of virtual machines in data centers. Once they get a toe‑hold on a hypervisor, they deploy Brickstorm to harvest credentials, pivot laterally, and then sink deep hooks for persistence. Think stolen admin passwords, tampered logs, and backdoored management interfaces that let them effectively “own” every guest system on that host. A Broadcom spokesperson has already urged customers to patch aggressively and lock down vSphere management planes.

What’s getting hit? The joint advisory describes “government services and information technology entities,” but the real worry in Washington is the downstream blast radius into critical infrastructure: power grid operators whose control systems run on virtualized servers, hospitals whose electronic medical record systems share those same hypervisors, and logistics providers whose OT gateways sit one misconfigured VLAN away. Homeland Security Today’s coverage of the advisory frames it bluntly as a warning to critical infrastructure owners, not just generic IT shops.

On attribution, CISA acting director Madhu Gottumukkala says these are Chinese state‑sponsored operators embedding themselves for “long‑term access, disruption, and potential sabotage.” Analysts point to tool overlap with earlier PRC campaigns, infrastructure patterns consistent with known Chinese clusters, and the strategic targeting of platforms that underpin national‑level services. Beijing’s embassy in Washington, through spokesperson Liu Pengyu, has denied everything, insisting China does not encourage or support cyber attacks and accusing the U.S. and Canada of making “irresponsible assertions” without evidence. Classic diplomatic duel: technical indicators on one side, political denials on the other.

Defensive moves have come fast. CISA has pushed out hardening guidance for VMware vSphere, pushed sector‑wide alerts, and tied this to its broader critical infrastructure push. At the same time, the new Trump administration’s upcoming six‑pillar national cybersecurity strategy, previewed by National Cyber Director Sean Cairncross at the Aspen Cyber Summit, is leaning into “shaping adversary behavior” and “introducing costs and consequences.” That’s code for more forward‑leaning offense, tighter regulation on critical infrastructure, and a bigger emphasis on OT security where these virtualization stacks intersect with physical systems.

Industrial security experts quoted by Industrial Cyber, like Sinclair Koelemij and Judy Nadera, are warning that as Chinese operators move closer to field‑level devices in industrial control systems, attacks like Brickstorm become more than data theft—they become levers for physical sabotage. Their takeaway: visibility down to Levels 0–2, passive monitoring, and secure‑by‑design PLCs are no longer nice‑to‑have; they’re survival gear.

Lessons learned for all of you running real networks: virtualization is not a security blanket; hypervisors are crown jewels. Patch vSphere, lock admin access behind strong identity, segment...