This is your Red Alert: China's Daily Cyber Moves podcast.

It’s Ting, and—wow, things are sizzling in cyberspace lately! No time for a slow intro, so let’s dive headlong into China’s latest cyber moves against US targets, because, trust me, it’s not quiet out there.

The biggest signal flare right now: Ribbon Communications, the telecom backbone provider, just confirmed a major breach by nation-state hackers, heavily suspected to be China. The kicker? The attackers wormed in as early as December last year, staying tucked away in the network for nearly nine months before anyone noticed it. They grabbed corporate IT access, historic customer data, and potentially reached US government communications. That’s not small fries—Ribbon ties together global voice and data, so we’re talking critical infrastructure being exposed on multiple levels.

The team at Palo Alto Networks spotted a China-nexus threat cluster, CL SDA-1009, dropping Airstalk malware variants. If you’re not familiar, that’s malware specifically targeting VMware AirWatch and Workspace ONE mobile device management, which are popular for remote workforce setups. The Chinese actors pilfered stolen code-signing certificates and quietly exploited trusted APIs to vacuum up browser histories, screenshots, and credentials. It’s all about stealth—this operation barely tickles the regular malware sensors. Supply chain espionage at its finest, especially as the main targets are business process outsourcing providers. China’s hacking playbook here? Compromise one vendor, leapfrog into dozens of client networks.

On top of that, Chinese-linked groups are exploiting two chained vulnerabilities, CVE-2025-20362 and CVE-2025-20333, in Cisco ASA and FTD devices, giving them authentication bypass and remote code execution powers. Targets range from local government agencies in the US to financial sector organizations in Europe and Asia. They’re creating rogue admin accounts and suppressing logs, making deep persistence look easy. CISA and the FBI didn’t mince words—emergency alerts landed hard, and agencies nationwide scrambled to patch or even rip out aging ASA 5500 series hardware.

Last month was a hurricane of ransomware and new data breaches, with supply chain attacks cutting through organizations like Motility Software Solutions and F5 Networks. Notably, Chinese actor cluster UNC5221 hit F5’s BIG-IP development environment, making off with source code and crucial vulnerability information. That put even federal networks at “imminent threat” according to CISA’s emergency directive.

As for right now, the volatility reading for these threats is off the charts—expect more emergency bulletins if defensive measures lag. The required defensive actions? Log and alert on strange API calls (especially in AirWatch and Workspace ONE), force reauthentication, restrict vendor access, and patch firewalls as if your coffee break depended on it.

Escalation scenario? If these footholds in telecom and supply chain environments become operational, think mass credential theft and disruption of voice/data traffic, potentially impacting emergency services. The threat actors aren’t spiking malware—this is about deep persistence, quiet movement, and using legitimate channels like admin credentials to lurk until the big strike.

Stay frosty and don’t ignore your SOC alerts. Share intel—standardization and open info-sharing are key, just ask Jason Keirstead from LangGuard.AI, who says collective defense is the only way to make attackers double-think their tactics.

Thanks for tuning in—subscribe for more if you want to stay ahead of the next cyber storm. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals Back to Episodes