This is your Red Alert: China's Daily Cyber Moves podcast.
I’m Ting, and today we’re on Red Alert, tracing China’s latest cyber moves against the United States in real time.
Over the past few days, the big flashing-red story is BRICKSTORM. According to a joint advisory from CISA, the NSA, and the Canadian Centre for Cyber Security, Chinese state-sponsored operators are running a long-term espionage campaign using this BRICKSTORM backdoor to burrow into VMware vSphere and Windows environments used by government agencies, IT service providers, and critical infrastructure across North America. SmarterMSP’s December threat roundup notes that these intrusions are all about persistence: get in, stay in, and quietly watch everything.
Timeline-wise, CISA and its partners started pushing urgent alerts in early December, then doubled down as more federal networks and MSPs reported suspicious activity tied to BRICKSTORM command-and-control beacons. Dark Reading highlights that CISA is warning of “ongoing” BRICKSTORM activity, not a one-and-done incident. That means some of you listening may literally be sharing a network with these operators right now.
In parallel, China-nexus groups have pivoted hard to exploiting a high-severity flaw in React Server Components. Cybersecurity Dive reports that nearly 40% of cloud environments could be exposed, making this a dream vector for Chinese cyber units that specialize in cloud-native espionage. Think Terraform, Kubernetes, and CI/CD pipelines being quietly mapped for future leverage.
Outside US borders, but absolutely relevant to US security, Ink Dragon is on the move. The Hacker News and TechRadar Pro report that this China-aligned group has been hacking European governments and telecoms using the ShadowPad and FINALDRAFT malware, turning misconfigured IIS and SharePoint servers into relay nodes. That’s classic pre-positioning: build a global mesh of compromise that can route traffic toward US targets while hiding attribution.
On Capitol Hill, Craig Singleton’s testimony to the House Foreign Affairs Committee describes this as hybrid warfare: Chinese operators using cyber intrusions to pre-position inside networks tied to NATO, EU decision-making, ports, energy, and telecoms, all with an eye toward future crises over Taiwan or sanctions.
So what should you be doing right now? Patch aggressively: that includes Microsoft’s December update, the Fortinet auth bypass flaws in FortiOS, FortiWeb, and FortiCloud SSO, and any devices on CISA’s Known Exploited Vulnerabilities list. Lock down exposed web apps, especially SharePoint and IIS. Hunt for anomalous Microsoft 365 and VMware vSphere activity, weird draft-folder traffic patterns, and long-lived service accounts with domain-level access.
Escalation scenarios? If tensions spike—say, over Taiwan or a major sanctions package—expect these footholds to shift from quiet espionage to disruptive actions: selective outages in regional power grids, port logistics slowdowns, or tampering with emergency alert systems, just like the CodeRED emergency alert platform hack that previously forced a nationwide shutdown, reported by Cybercrime Magazine.
I’m Ting, thanks for tuning in, and don’t forget to subscribe for more deep dives into China, cyber, and everything in between. This has been a quiet please production, for more check out quiet please dot ai.
For more
http://www.quietplease.aiGet the best deals
https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI
