This is your Dragon's Code: America Under Cyber Siege podcast.

Name’s Ting. Buckle up, listeners, because Dragon’s Code has been busy this week.

According to CISA and Canada’s Cyber Centre, the headline act is a China‑backed malware family they’re calling BRICKSTORM, deployed by a group CrowdStrike dubs WARP PANDA, a China‑nexus adversary with serious cloud and VMware skills. BRICKSTORM isn’t smash‑and‑grab; it’s long‑term squatters’ rights. It burrows into Windows environments, VMware vCenter, and ESXi, then blends its command‑and‑control traffic in with normal network noise so your SIEM just shrugs. It quietly steals and manipulates files, even yanks cryptographic keys, and if you try to kill it, self‑monitoring routines just reinstall or restart the implant.

In one incident CISA described, the operators came in through a vulnerable web server, pivoted to the domain controller, then fanned out across other servers in classic lateral movement, harvesting keys along the way. Madhu Gottumukkala, the acting director of CISA, warned that these state‑sponsored teams are “embedding themselves to enable long‑term access, disruption, and potential sabotage,” calling cyber defense “national defense” in very plain language.

Attribution‑wise, U.S. and Canadian agencies point to infrastructure, tooling, and TTPs consistent with prior Chinese state operations, while CrowdStrike’s profile of WARP PANDA highlights advanced OPSEC and deep knowledge of cloud and virtual machine environments. Beijing, via its embassy in Canada, fired back with the usual line that the U.S. is the “true hacker empire” and that the report is political smear, but no alternative technical explanation was offered.

While BRICKSTORM lurks in data centers, another front lit up: the React2Shell vulnerability in React and Next.js. The Hacker News reports CISA rushed this bug into its Known Exploited Vulnerabilities catalog and yanked the federal patch deadline forward, signaling that exploitation was outpacing bureaucracy. Cloudflare and Wiz both saw mass scanning focused on internet‑facing Next.js and Kubernetes workloads, with state‑linked operators carving out Chinese IP ranges from their scans and leaning heavily on targets in Taiwan, Xinjiang, Japan, Vietnam, and New Zealand, plus selective hits on government and critical‑infrastructure sites. Cybersecurity Dive notes one particularly chilling target: a national authority overseeing imports and exports of uranium and nuclear fuel.

Kaspersky’s honeypots logged tens of thousands of exploit attempts in a single day, with initial recon commands like whoami followed by payloads ranging from crypto‑miners to Mirai‑style botnets. That mix of commodity malware and high‑value targets is a classic cover tactic: drown espionage traffic in a sea of noisy crimeware.

Defensively, CISA pushed updated Cybersecurity Performance Goals this week, aligning with NIST and emphasizing governance, segmentation, inventory of edge devices, and rapid incident reporting for anything that smells like BRICKSTORM. On the Hill, the newest defense authorization bill boosts resources and authorities for U.S. Cyber Command, and lawmakers like Raja Krishnamoorthi are targeting Chinese‑linked LiDAR in critical infrastructure to close yet another telemetry backdoor, warning that these sensors could become “a silent gateway into America’s infrastructure.”

Lessons learned? First, persistence is the point: assume Chinese operators are building long‑term beachheads, not one‑off heists. Second, virtualization and developer stacks like VMware and React are now front‑line critical infrastructure. Third, patch velocity and asset awareness are no longer nice‑to‑have; when CISA moves a deadline up, your change‑control board needs to move with it. And finally, supply‑chain tech from sensors to subsea cables is now part of the battlespace, not just background hardware.Back to Episodes