Sign up to save your podcasts
Or
Share China's Grid Hack Sleepover: Why Volt Typhoon Moved In and Won't Leave Your Power Company
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
China's Grid Hack Sleepover: Why Volt Typhoon Moved In and Won't Leave Your Power Company
This is your Dragon's Code: America Under Cyber Siege podcast.
Look, listeners, this week the cyber dragons have been exceptionally busy, and I'm not talking about the cute kind you see on scrolls. We're talking about sophisticated state-sponsored operations that would make your IT director lose sleep for weeks.
Let me break down what just hit the fan. According to Dragos, a company that literally specializes in watching critical infrastructure get attacked, Volt Typhoon and their closely related crew Voltzite have been absolutely embedding themselves into American energy networks throughout 2025. And here's the chilling part: they're not there to steal your Netflix password. They're there to take down the power grid when the order comes. Dragos CEO Robert Lee put it bluntly, saying this crew was embedded in that infrastructure for the purpose of taking it down.
The methodology is terrifyingly elegant. They compromised Sierra Wireless AirLink devices to slip into pipeline operations, then exfiltrated operational and sensor data. They got so deep into the control loop that they could potentially manipulate systems at will. Think about that for a second—they have the keys to the kingdom and they're waiting.
But Voltzite isn't working alone. A brand new group called Sylvanite acts as their initial access broker, exploiting vulnerabilities in products from F5, Ivanti, and SAP. These guys reverse engineer zero-days within 48 hours of disclosure. That's not just fast, that's practically pre-cognitive.
Now add another layer. Google's Threat Intelligence Group just exposed a Chinese group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about a CVSS 10.0 vulnerability, the worst possible score. They deployed malware called Brickstorm and then upgraded to something even nastier called Grimbolt. What makes Grimbolt particularly diabolical is it compiles directly to machine code, making it incredibly hard to detect.
The tactics are innovative too. They created what security researchers call Ghost NICs—hidden network interfaces on VMware servers—to pivot laterally through networks like ghosts. Meanwhile, they're using something called Single Packet Authorization with iptables, making their presence virtually invisible.
Then Texas Attorney General Ken Paxton announced a lawsuit against TP-Link Systems this week, alleging their networking devices have been compromised by China's state-sponsored hackers. So now we're talking about consumer routers being weaponized infrastructure.
The defensive picture is fragmented. CISA and partners are releasing indicators of compromise and YARA rules for detection, but here's the honest truth: by the time defenders see these attacks, the adversary has already moved on. The persistence is measured in years, not days.
What's the lesson? These operations aren't about money or intellectual property theft. They're about positioning, access, and waiting. It's chess at the infrastructure level.
Thanks for tuning in, listeners. Make sure to subscribe for more deep dives into how the digital world actually works. This has been Quiet Please production. For more, check out quietplease.ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Look, listeners, this week the cyber dragons have been exceptionally busy, and I'm not talking about the cute kind you see on scrolls. We're talking about sophisticated state-sponsored operations that would make your IT director lose sleep for weeks.
Let me break down what just hit the fan. According to Dragos, a company that literally specializes in watching critical infrastructure get attacked, Volt Typhoon and their closely related crew Voltzite have been absolutely embedding themselves into American energy networks throughout 2025. And here's the chilling part: they're not there to steal your Netflix password. They're there to take down the power grid when the order comes. Dragos CEO Robert Lee put it bluntly, saying this crew was embedded in that infrastructure for the purpose of taking it down.
The methodology is terrifyingly elegant. They compromised Sierra Wireless AirLink devices to slip into pipeline operations, then exfiltrated operational and sensor data. They got so deep into the control loop that they could potentially manipulate systems at will. Think about that for a second—they have the keys to the kingdom and they're waiting.
But Voltzite isn't working alone. A brand new group called Sylvanite acts as their initial access broker, exploiting vulnerabilities in products from F5, Ivanti, and SAP. These guys reverse engineer zero-days within 48 hours of disclosure. That's not just fast, that's practically pre-cognitive.
Now add another layer. Google's Threat Intelligence Group just exposed a Chinese group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about a CVSS 10.0 vulnerability, the worst possible score. They deployed malware called Brickstorm and then upgraded to something even nastier called Grimbolt. What makes Grimbolt particularly diabolical is it compiles directly to machine code, making it incredibly hard to detect.
The tactics are innovative too. They created what security researchers call Ghost NICs—hidden network interfaces on VMware servers—to pivot laterally through networks like ghosts. Meanwhile, they're using something called Single Packet Authorization with iptables, making their presence virtually invisible.
Then Texas Attorney General Ken Paxton announced a lawsuit against TP-Link Systems this week, alleging their networking devices have been compromised by China's state-sponsored hackers. So now we're talking about consumer routers being weaponized infrastructure.
The defensive picture is fragmented. CISA and partners are releasing indicators of compromise and YARA rules for detection, but here's the honest truth: by the time defenders see these attacks, the adversary has already moved on. The persistence is measured in years, not days.
What's the lesson? These operations aren't about money or intellectual property theft. They're about positioning, access, and waiting. It's chess at the infrastructure level.
Thanks for tuning in, listeners. Make sure to subscribe for more deep dives into how the digital world actually works. This has been Quiet Please production. For more, check out quietplease.ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
View all episodes
By Inception Point AiThis is your Dragon's Code: America Under Cyber Siege podcast.
Look, listeners, this week the cyber dragons have been exceptionally busy, and I'm not talking about the cute kind you see on scrolls. We're talking about sophisticated state-sponsored operations that would make your IT director lose sleep for weeks.
Let me break down what just hit the fan. According to Dragos, a company that literally specializes in watching critical infrastructure get attacked, Volt Typhoon and their closely related crew Voltzite have been absolutely embedding themselves into American energy networks throughout 2025. And here's the chilling part: they're not there to steal your Netflix password. They're there to take down the power grid when the order comes. Dragos CEO Robert Lee put it bluntly, saying this crew was embedded in that infrastructure for the purpose of taking it down.
The methodology is terrifyingly elegant. They compromised Sierra Wireless AirLink devices to slip into pipeline operations, then exfiltrated operational and sensor data. They got so deep into the control loop that they could potentially manipulate systems at will. Think about that for a second—they have the keys to the kingdom and they're waiting.
But Voltzite isn't working alone. A brand new group called Sylvanite acts as their initial access broker, exploiting vulnerabilities in products from F5, Ivanti, and SAP. These guys reverse engineer zero-days within 48 hours of disclosure. That's not just fast, that's practically pre-cognitive.
Now add another layer. Google's Threat Intelligence Group just exposed a Chinese group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about a CVSS 10.0 vulnerability, the worst possible score. They deployed malware called Brickstorm and then upgraded to something even nastier called Grimbolt. What makes Grimbolt particularly diabolical is it compiles directly to machine code, making it incredibly hard to detect.
The tactics are innovative too. They created what security researchers call Ghost NICs—hidden network interfaces on VMware servers—to pivot laterally through networks like ghosts. Meanwhile, they're using something called Single Packet Authorization with iptables, making their presence virtually invisible.
Then Texas Attorney General Ken Paxton announced a lawsuit against TP-Link Systems this week, alleging their networking devices have been compromised by China's state-sponsored hackers. So now we're talking about consumer routers being weaponized infrastructure.
The defensive picture is fragmented. CISA and partners are releasing indicators of compromise and YARA rules for detection, but here's the honest truth: by the time defenders see these attacks, the adversary has already moved on. The persistence is measured in years, not days.
What's the lesson? These operations aren't about money or intellectual property theft. They're about positioning, access, and waiting. It's chess at the infrastructure level.
Thanks for tuning in, listeners. Make sure to subscribe for more deep dives into how the digital world actually works. This has been Quiet Please production. For more, check out quietplease.ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Look, listeners, this week the cyber dragons have been exceptionally busy, and I'm not talking about the cute kind you see on scrolls. We're talking about sophisticated state-sponsored operations that would make your IT director lose sleep for weeks.
Let me break down what just hit the fan. According to Dragos, a company that literally specializes in watching critical infrastructure get attacked, Volt Typhoon and their closely related crew Voltzite have been absolutely embedding themselves into American energy networks throughout 2025. And here's the chilling part: they're not there to steal your Netflix password. They're there to take down the power grid when the order comes. Dragos CEO Robert Lee put it bluntly, saying this crew was embedded in that infrastructure for the purpose of taking it down.
The methodology is terrifyingly elegant. They compromised Sierra Wireless AirLink devices to slip into pipeline operations, then exfiltrated operational and sensor data. They got so deep into the control loop that they could potentially manipulate systems at will. Think about that for a second—they have the keys to the kingdom and they're waiting.
But Voltzite isn't working alone. A brand new group called Sylvanite acts as their initial access broker, exploiting vulnerabilities in products from F5, Ivanti, and SAP. These guys reverse engineer zero-days within 48 hours of disclosure. That's not just fast, that's practically pre-cognitive.
Now add another layer. Google's Threat Intelligence Group just exposed a Chinese group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about a CVSS 10.0 vulnerability, the worst possible score. They deployed malware called Brickstorm and then upgraded to something even nastier called Grimbolt. What makes Grimbolt particularly diabolical is it compiles directly to machine code, making it incredibly hard to detect.
The tactics are innovative too. They created what security researchers call Ghost NICs—hidden network interfaces on VMware servers—to pivot laterally through networks like ghosts. Meanwhile, they're using something called Single Packet Authorization with iptables, making their presence virtually invisible.
Then Texas Attorney General Ken Paxton announced a lawsuit against TP-Link Systems this week, alleging their networking devices have been compromised by China's state-sponsored hackers. So now we're talking about consumer routers being weaponized infrastructure.
The defensive picture is fragmented. CISA and partners are releasing indicators of compromise and YARA rules for detection, but here's the honest truth: by the time defenders see these attacks, the adversary has already moved on. The persistence is measured in years, not days.
What's the lesson? These operations aren't about money or intellectual property theft. They're about positioning, access, and waiting. It's chess at the infrastructure level.
Thanks for tuning in, listeners. Make sure to subscribe for more deep dives into how the digital world actually works. This has been Quiet Please production. For more, check out quietplease.ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI