China's Typhoons Breach the Pentagon: Insiders Warn of Kinetic Response

This is your Red Alert: China's Daily Cyber Moves podcast.

Today’s cyber threat landscape reads like a techie spy thriller starring Microsoft, VMware, and a chorus line of state-backed Chinese groups with names like Linen Typhoon, Violet Typhoon, and the ever-active Fire Ant. I’m Ting, your cyber detective, and if you think today’s episode is just about ransomware pop-ups, buckle up—this is national-security-grade hacking.

Let’s dive straight in. Kicking off this week, Microsoft shares rocked the InfoSec world admitting that Chinese state actors—specifically Linen Typhoon and Violet Typhoon—breached on-premises SharePoint servers in the US, UK, and Europe. They pulled off their hit by exploiting a fresh remote code execution flaw. Microsoft was quick to confirm more than 400 targets, including US government organizations and, get this, even the nuclear weapons agency. This isn’t script kiddie stuff; the Typhoons aren’t after bitcoin—they’re on an intellectual property and espionage mission. Their specialty: exploiting vulnerabilities faster than you can say “Patch Tuesday.” Emergency alerts from CISA and the FBI stressed that every public-facing SharePoint server—especially those unpatched—is basically an open door for these crews.

Meanwhile, out of the blue comes Fire Ant, not content with just sitting on VMware infrastructure. Sygnia researchers flagged these folks for quietly chaining exploits against virtualization environments using super-stealthy techniques. We’re talking high-end persistence, credential theft, and tunneling webshells. One move involved abusing CVE-2023-34048 on VMware’s vCenter to grab unauthenticated remote access, then surfing laterally across segmented assets undetected. Extra sizzle? Fire Ant was caught embedding themselves in load balancers, using old vulnerabilities to create tunnels and leap between isolated network segments. Some researchers tracked the group as UNC3886—a team that knows its way around both the hypervisor layer and forensic log evasion, making eradication a nightmare.

Timeline recap: Late last week, emergency vulnerabilities published by Microsoft lit up incident response teams coast to coast. By Sunday, over 400 systems had confirmed compromise. On Monday, CISA and FBI issued mandatory directives: patch SharePoint servers right now, audit for suspicious persistence, rotate all admin creds, and doublecheck your cloud versus on-prem deployments. Tuesday saw VMware shops erupt with alerts as Fire Ant’s playbook surfaced, with guidance to isolate any exposed vCenter and ESXi servers and scrub meticulously for unusual CLI traces or renamed system binaries. By today, Friday, the Pentagon dropped the bombshell—no more China-based engineers on sensitive Defense Department cloud systems, and a sweeping review of all contractor-supplied code, especially anything with a whiff of mainland input.

The fast-moving risk: insiders warn that this escalation could lead to kinetic-level response if classified US assets are breached at scale. Experts flagged the “swim upstream” threat—China gaining access to unclassified cloud data, then pivoting up to reach, say, defense secrets or pipeline SCADA systems. The counter-moves? Expect blanket government audits, stricter software provenance checks, and much less trust for foreign code in US critical systems.

If you’re a sysadmin, today’s to-do is clear: patch, monitor for suspicious lateral movement, and assume breach. For business leaders or government execs, it’s time to rethink the global outsourcing model for sensitive workloads. The cat-and-mouse game is live, and the stakes have never been higher.

Thanks for tuning in to my cyber dispatch. If you want more sharp takes on China, hacking, and those wild Red Alerts, don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.

For more