Cyber Typhoons Rage: Nuclear Hacks, Stealthy Ants, and Scattered Spiders Spin Chaos!

This is your Red Alert: China's Daily Cyber Moves podcast.

Listen up, cyber sleuths – Ting here, your favorite pixel warrior with breaking news on Red Alert: China’s Daily Cyber Moves. Forget the popcorn, you may need a fire extinguisher, because things have been burning hot since last Friday. Here’s what just dropped, and why anyone with skin in the cyber game should be scrambling.

First, picture this: around July 22, Microsoft’s SharePoint servers started lighting up like neon signs in Chongqing after midnight. Microsoft now confirms at least three big China-backed groups—Linen Typhoon, Violet Typhoon, and the aptly named Storm-2603—were hammering unpatched vulnerabilities. These exploits hit hundreds of US government sites, including the Energy Department and the National Nuclear Security Administration; think “hackers in the nuclear house.” Emergency alerts from CISA and the FBI went out over the weekend urging immediate patching, but not before attackers slipped in and likely grabbed cryptographic keys, the digital crown jewels. Palo Alto Networks says the only thing keeping these hackers at bay is prompt, full-spectrum patching. And yes, even with patches, if those keys are gone, your perimeter has more holes than a fishing net in Guangdong, so rotate those secrets—now.

Next stop, virtualization land. Fire Ant—a China-linked group identified by Sygnia—has been camping out on VMware ESXi and vCenter servers since early 2025. Here’s their power move: using stealthy “host-to-guest” attacks, they bypassed network segmentation, hopping from cloud to segmented networks like it’s a morning stroll on the Bund. Their persistence is next-level: custom Medusa rootkits for persistence, webshells for rapid access, credential harvests for lateral movement. Fire Ant’s MO closely resembles that of UNC3886, which means these actors adapt and survive removals and eradications, kind of like malware Darwinism.

Meanwhile, Scattered Spider—yes, another animal, but this one is ransomware-for-hire—is teaming up with DragonForce (run by Slippery Scorpius) and leveraging ESXi flaws for double punch: data theft and full-on ransomware attacks in the US retail and transport sectors. Google’s Mandiant unit says their trick is social engineering: manipulating help desks and pivoting to vSphere, then extracting Active Directory databases and exfiltrating hundreds of gigs of sensitive data before encrypting everything in sight.

The critical timeline:
July 21 – Security advisories issued.
July 22-25 – Intrusions detected at US government and critical infrastructure sites.
By July 26, CISA and the FBI blanket critical sectors with alerts: “Assume breach, accelerate patching, rotate keys, isolate critical systems.”
Today, July 28, further attacks reported on unpatched ESXi, SharePoint, and F5 appliances.
Emergency actions: patch everything, check for persistent backdoors, comb through logs for suspicious exfiltration, and disconnect compromised segments.

Potential escalation? With SharePoint breaches hitting nuclear agencies and persistent access to infrastructure, we’re talking not just data theft, but the potential for catastrophic digital sabotage—power, water, and telecoms at risk.

That’s the cyber front for July 28, 2025. Ting signing off—remember, in cyberspace, you’re only as safe as your last patch. Thanks for tuning in, listeners! Don’t forget to subscribe and stay one step ahead of the next typhoon. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta