From Hakai to AI Heists: China's Cyber Tricks Get Slick

This is your Cyber Sentinel: Beijing Watch podcast.

Listeners, Ting here on Cyber Sentinel: Beijing Watch, and this week in Chinese cyber activity has been a wild ride—think more Mission: Impossible than mellow Monday. Let’s dive right in, because the U.S.-China digital chessboard just saw some new pieces thrown on the floor.

First, we saw a dramatic example of insider sabotage that left a real scar on U.S. corporate infrastructure. U.S. Attorney David M. Toepfer confirmed that Davis Lu, a Chinese national and former software developer at Eaton Corporation—a powerhouse in aerospace and electrical industries—was sentenced to four years for unleashing a “kill switch” across the company’s global network. Davis’s code locked out thousands of users right when his credentials were wiped. His tricks? Infinite loops to crash servers, covert profile wiping of colleagues, and malware with names like ‘Hakai’ (yes, that’s Japanese for “destruction”). This isn’t just technical mischief; it’s a wake-up call that A) insider threats are real, and B) attribution isn’t just about who, but about privilege and intent.

Simultaneously, a more strategic cyber cold war is playing out over Nvidia and its AI chips. Under CEO Jensen Huang, Nvidia’s been dancing between U.S. export controls and massive Chinese demand. Recent U.S. crackdowns aimed to starve Chinese firms like Baidu and Alibaba of AI muscle, but the Trump administration, in a twist noir, let “H20” chips roll in again—under the condition that Nvidia and rival AMD kick 15% of China chip sales back to Uncle Sam for export licenses. Commerce Secretary Howard Lutnick couldn’t help but flex on CNBC, boasting that “we don’t sell them our best stuff…just enough to keep Chinese developers addicted.” Cue the expected backlash—Chinese cyber regulators are now pushing domestic firms to drop Nvidia’s H20, signaling an all-out push for chip self-sufficiency. The tech war goes way beyond commerce; it’s about who gets to build the next generation of AI and who’s hunting for vulnerabilities.

The tactical implication: attacks are getting sneakier and less noisy. According to CrowdStrike, the Silk Typhoon APT group—sometimes dubbed Murky Panda—has ramped up attacks on North American targets using both n-day and zero-day flaws, leveraging vulnerabilities that firms haven’t patched yet. This is paired with a new theme: stealthy persistence and data exfiltration over smash-and-grab ransomware. Meanwhile, the release of DeepSeek, a new large language model fine-tuned for Chinese semiconductors, lets Beijing leapfrog some chip limitations, fueling new AI-driven attack automation. When Apple patched CVE-2025-43300, it flagged attacks targeting high-profile individuals—a hint that both government-backed and private Chinese actors are not just phishing for credentials, but spearfishing for influence.

Industries targeted? This week alone: advanced manufacturing, pharmaceuticals, and higher ed. China’s also strengthening ransomware and DDoS botnets, with attacks disguised as “ghost student” frauds to siphon millions in student aid funds—proving that financial and information thefts are fusing.

On attribution: While direct links remain a cat-and-mouse game, Silk Typhoon’s repeated infrastructure overlaps, tool reuse, and Mandarin-language code snippets are smoking guns for any analyst paying attention. And on the international stage, with China launching a coordinated campaign to localize tech stacks, the U.S. is upping incentives for firms to tighten controls—Microsoft, for example, is now only sharing written bug details with Chinese firms, no more juicy exploits.

Strategic advice:
Segment your networks. Double down on behavioral analytics to spot privilege escalation or internal tinkering à la Davis Lu—especially after layoffs or role changes. Patch fast, patch often—those n-day flaws are a gold mine for Silk Typhoon and friends....