China's Cyber Superspies Pwned Microsoft SharePoint & Feds Panic-Patched All Weekend!

This is your Dragon's Code: America Under Cyber Siege podcast.

Name’s Ting, cyber-wrangler by trade, disaster-preventer by necessity. Let’s decrypt the dragon’s code from the last whirlwind week of America Under Cyber Siege—because wow, the Great Wall has gone digital, and the party’s just getting started. If you were hoping for a typical script about “malware” and “password123,” buckle up. The Chinese apparatus has gone way, way bigger: think SharePoint exploits, shadowy code in critical infrastructure, and classic cloak-and-dagger in the cloud.

Start with the headline grabber—Chinese nation-state cyber operators, especially Linen Typhoon and Violet Typhoon, blitzed through Microsoft SharePoint servers again. Microsoft’s own blog called out these two for exploiting newly discovered vulnerabilities, dropping ransomware and siphoning credentials before the patch could even finish downloading. Not only did the feds notice, but so did every agency and sysadmin from the Department of Homeland Security to Health and Human Services—places you *definitely* don’t want surprises. Even Defense Intelligence Agency had systems offline on July 22, and the National Institutes of Health took a direct hit. Good news: according to Tricia McLaughlin at CISA, there’s no sign yet of data leaks at the big dogs, but for hours, business stopped dead and alarms went off across federal networks.

Here’s the wild part—proving it was China isn’t all IP addresses and Fred from IT pointing at a map. Microsoft and Sygnia researchers tied these attack signatures to “Fire Ant,” a group known for VMware exploitation, lateral movement, and customized toolsets rivaling top-tier APTs. Forensic analysts tracked minor input errors back to Chinese-language keyboards and time patterns matching business hours in Beijing. The UK’s National Cyber Security Centre and U.S. experts, like Dragos’s Robert M. Lee, are now seeing these exact TTPs—tactics, techniques, procedures—in targeted critical infrastructure attacks.

Now the methodology: China’s groups don’t shout—they slip in via virtualization platforms, leapfrog through network segments, and live undetected beneath the radar of traditional endpoint protections. Firewalls and two-factor authentication? Those are just speed bumps if patching and segmentation aren’t ironclad. The government’s rapid response included emergency CISA alerts, Microsoft hotfixes, and round-the-clock patch deployments—not a moment too soon, considering the attackers’ next trick is dropping ransomware as a smokescreen.

But even old flaws can become this week’s catastrophe. Turns out, Microsoft’s Government Community Cloud had *years* of code serviced by engineers in China—yep, for sensitive but “non-classified” data. ProPublica’s investigation found that these “digital escorts”—U.S.-based supervisors—sometimes lacked the chops to spot sophisticated code injections. Secretary of Defense Pete Hegseth instantly banned foreign engineers from touching Pentagon cloud systems and launched a massive two-week audit to dig up any ghosts.

What do the experts say? Lee and Gen. Paul Nakasone preach: basics, basics, basics. Most intrusions succeed not through zero-days, but sloppy patching and weak access controls—cyber hygiene is still our weakest link. Former NSA head Nakasone wants stricter compliance and deeper public-private threat sharing to “make the U.S. more toxic” to adversaries. Meanwhile, President Trump’s White House just dropped an “AI Action Plan,” orders for better incident response, and a shiny new AI-ISAC, aiming to out-pace foreign attackers in the code arms race.

So what’s the lesson? Cyber defense isn’t only high-tech gadgetry; it’s relentless patching, vigilant monitoring, and—let’s be honest—a little less trusting of foreign-made “helpers” in your server room. America’s biggest digital threat isn’t just one breach; it’s a long game of shadow chess on the...