Chinese Hackers Breach Nuke Agency Thru Microsoft Bugs - Patches Cant Stop Em!

This is your Dragon's Code: America Under Cyber Siege podcast.

It’s Ting, your favorite cyber-sleuth with the lowdown on Dragon’s Code: America Under Cyber Siege! Buckle up, because this week has been a real fireworks show—a bit less Independence Day, a bit more System Independence-Napped Day… except the attackers weren’t from Will Smith’s side of the world. Let me walk you through this digital drama.

Kicking off with the big one—the Chinese government-linked hackers, yes, the same familiar crowd Microsoft calls Linen Typhoon, Violet Typhoon, and Storm-2603, have launched a sophisticated assault focused on vulnerabilities in Microsoft SharePoint. What’s sizzling isn’t just the tech mishap, it’s the target: on July 18th, these actors snuck right into the National Nuclear Security Administration. This is the very agency that keeps tabs on the U.S. nuclear stockpile—not the club you want uninvited guests crashing. Microsoft, red-faced, blamed the breach on previously unknown bugs in SharePoint. These bugs opened the door for tens of thousands of systems, particularly on-premises SharePoint servers not upgraded to Microsoft’s more secure cloud service.

Here’s where it gets spicy—attackers pulled off credential harvesting, nabbing usernames, password hashes, and what are essentially session skeleton keys. With those, they could impersonate legitimate users or hopscotch their way deeper into victim networks. Security researchers at Interesting Engineering pointed out that the attackers had already come up with creative detours even after admins applied Microsoft’s patches, deploying persistent access tactics, user impersonation, and theft of authentication keys. Translation: if patching is a game of whack-a-mole, these moles brought shovels.

Beyond SharePoint, researchers from Sygnia flagged an ongoing China-affiliated campaign named “Fire Ant” that targets virtualized infrastructure, especially on VMware’s ESXi and vCenter. These folks exploited weak points in network segmentation and hypervisor layers—often the blind spots of traditional security—then tunneled through them, planted redundant backdoors, and stuck around like houseguests who refuse to leave. Sygnia’s Yoav Mazor noted that Fire Ant’s specialty is persistence; even after being evicted, they’d sneak back in through clever manipulation of network configs.

Now you’re asking, “Hey Ting, how do we know it’s the Chinese government?” Attribution in cyberspace is always tricky, but Microsoft, Bloomberg, and U.S. authorities all agree the infrastructure, tactics, coding style, and even the timing screamed “state-sponsored.” Add in the sheer scale: over 100 organizations hit, including government agencies, energy companies, healthcare, and academic targets.

Defenses? Microsoft scrambled to release patches, and U.S. agencies rapidly moved to segment impacted systems, rotate credentials, and—here’s the headline—finally ramped up migration to hardened cloud platforms. The Cybersecurity and Infrastructure Security Agency, or CISA, stressed cross-sector sharing of threat intelligence and recommended zero-trust principles be force-fed into every IT upgrade. CrowdStrike, Fortinet, and those with AI-powered detection tools had a moment in the sun, but there’s anxiety: experts warn, “If you’re not in the cloud, you’re on the menu.” Sygnia urges organizations to boost visibility not just at endpoints but in virtualization layers, and to treat network segmentation as a dynamic, not static, defense.

Tonight’s big lesson? America’s digital gates are as strong as their oldest padlock. Unpatched legacy servers and out-of-sight hypervisors remain fat, juicy targets. Take it from me: adversaries invent new tricks faster than most orgs can deploy yesterday’s fixes. As Fire Ant and the Typhoons reminded us this week—it’s not just about keeping hackers out, it’s about seeing where they already are.

Thanks...