Sign up to save your podcasts
Or
Share Dragon's Backdoor: How China Lived in US Telecom for a Year While Congress Got Their Emails Read
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Dragon's Backdoor: How China Lived in US Telecom for a Year While Congress Got Their Emails Read
This is your Dragon's Code: America Under Cyber Siege podcast.
Name’s Ting. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.
This week, the big dragon in the room is China’s state-aligned crews pushing deep into US communications and critical infrastructure. Lawmakers on Capitol Hill are still unpacking how the Salt Typhoon campaign gave Chinese intelligence years of historic access into major US telecom backbones like AT&T and Verizon, thanks in part to routers and ISP edge gear left with default admin passwords and unsegmented management networks. Techdirt reports that even after discovery, those operators found Chinese operators still quietly rooted in their core for another year, living off the land in router OS shells, abusing lawful-intercept systems, and siphoning call-detail records and signaling metadata.
According to Nextgov/FCW reporting, investigators now believe that the same Salt Typhoon ecosystem—or closely related Ministry of State Security operators—pivoted from those telecom footholds into email systems used by staff on the House Foreign Affairs, Intelligence, and Armed Services Committees. Financial Times first tied Salt Typhoon to those Hill intrusions, with staff inboxes probed for legislative timelines, sanctions drafts, and classified-adjacent chatter. Attribution here leans on shared infrastructure, overlapping malware families like ShadowPad-style loaders, and TTPs that look a lot like APT10 and other China-nexus units previously linked by Recorded Future and Cisco Talos.
On the infrastructure front, Huntress Labs describes Chinese-speaking attackers abusing a compromised SonicWall VPN as the front door, then dropping a custom VMware ESXi escape toolkit likely developed as a zero‑day as far back as early 2024. Once inside, they aimed to pop the hypervisor, bypassing guest isolation so a single phished admin or vulnerable VM could cascade into full datacenter control: domain controllers, industrial control servers, you name it. CISA had to rush that ESXi bug into its Known Exploited Vulnerabilities catalog, pushing emergency patch orders to federal and critical infrastructure operators.
Cisco Talos, in turn, is tracking UAT‑7290—China-linked and officially busy in South Asia and Southeastern Europe—but US telecom analysts are eyeing its playbook as a template: one‑day exploits on edge appliances, target-specific SSH brute force, open-source web shells for persistence, and ORB, Operational Relay Box, nodes that can proxy traffic for other Chinese teams.
Defenders aren’t just doomscrolling. The new National Defense Authorization Act boosts US Cyber Command’s authority and funding to defend critical infrastructure, while CISA—despite painful cuts that experts like Brian Harrell and Suzanne Spaulding say left a “dangerous void”—is racing to finalize CIRCIA incident reporting rules so telecoms and cloud providers can’t quietly sit on breaches the way some did with Salt Typhoon.
Lessons learned? Patch edge devices first. Kill default creds. Segment management planes. Monitor for weird lateral movement from telecom infrastructure into legislative or cloud environments. And maybe most important: don’t let lawyers tell engineers to “stop looking” for intrusions because the press might notice.
I’m Ting, thanks for tuning in, listeners. Don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Name’s Ting. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.
This week, the big dragon in the room is China’s state-aligned crews pushing deep into US communications and critical infrastructure. Lawmakers on Capitol Hill are still unpacking how the Salt Typhoon campaign gave Chinese intelligence years of historic access into major US telecom backbones like AT&T and Verizon, thanks in part to routers and ISP edge gear left with default admin passwords and unsegmented management networks. Techdirt reports that even after discovery, those operators found Chinese operators still quietly rooted in their core for another year, living off the land in router OS shells, abusing lawful-intercept systems, and siphoning call-detail records and signaling metadata.
According to Nextgov/FCW reporting, investigators now believe that the same Salt Typhoon ecosystem—or closely related Ministry of State Security operators—pivoted from those telecom footholds into email systems used by staff on the House Foreign Affairs, Intelligence, and Armed Services Committees. Financial Times first tied Salt Typhoon to those Hill intrusions, with staff inboxes probed for legislative timelines, sanctions drafts, and classified-adjacent chatter. Attribution here leans on shared infrastructure, overlapping malware families like ShadowPad-style loaders, and TTPs that look a lot like APT10 and other China-nexus units previously linked by Recorded Future and Cisco Talos.
On the infrastructure front, Huntress Labs describes Chinese-speaking attackers abusing a compromised SonicWall VPN as the front door, then dropping a custom VMware ESXi escape toolkit likely developed as a zero‑day as far back as early 2024. Once inside, they aimed to pop the hypervisor, bypassing guest isolation so a single phished admin or vulnerable VM could cascade into full datacenter control: domain controllers, industrial control servers, you name it. CISA had to rush that ESXi bug into its Known Exploited Vulnerabilities catalog, pushing emergency patch orders to federal and critical infrastructure operators.
Cisco Talos, in turn, is tracking UAT‑7290—China-linked and officially busy in South Asia and Southeastern Europe—but US telecom analysts are eyeing its playbook as a template: one‑day exploits on edge appliances, target-specific SSH brute force, open-source web shells for persistence, and ORB, Operational Relay Box, nodes that can proxy traffic for other Chinese teams.
Defenders aren’t just doomscrolling. The new National Defense Authorization Act boosts US Cyber Command’s authority and funding to defend critical infrastructure, while CISA—despite painful cuts that experts like Brian Harrell and Suzanne Spaulding say left a “dangerous void”—is racing to finalize CIRCIA incident reporting rules so telecoms and cloud providers can’t quietly sit on breaches the way some did with Salt Typhoon.
Lessons learned? Patch edge devices first. Kill default creds. Segment management planes. Monitor for weird lateral movement from telecom infrastructure into legislative or cloud environments. And maybe most important: don’t let lawyers tell engineers to “stop looking” for intrusions because the press might notice.
I’m Ting, thanks for tuning in, listeners. Don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
View all episodes
By Inception Point AiThis is your Dragon's Code: America Under Cyber Siege podcast.
Name’s Ting. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.
This week, the big dragon in the room is China’s state-aligned crews pushing deep into US communications and critical infrastructure. Lawmakers on Capitol Hill are still unpacking how the Salt Typhoon campaign gave Chinese intelligence years of historic access into major US telecom backbones like AT&T and Verizon, thanks in part to routers and ISP edge gear left with default admin passwords and unsegmented management networks. Techdirt reports that even after discovery, those operators found Chinese operators still quietly rooted in their core for another year, living off the land in router OS shells, abusing lawful-intercept systems, and siphoning call-detail records and signaling metadata.
According to Nextgov/FCW reporting, investigators now believe that the same Salt Typhoon ecosystem—or closely related Ministry of State Security operators—pivoted from those telecom footholds into email systems used by staff on the House Foreign Affairs, Intelligence, and Armed Services Committees. Financial Times first tied Salt Typhoon to those Hill intrusions, with staff inboxes probed for legislative timelines, sanctions drafts, and classified-adjacent chatter. Attribution here leans on shared infrastructure, overlapping malware families like ShadowPad-style loaders, and TTPs that look a lot like APT10 and other China-nexus units previously linked by Recorded Future and Cisco Talos.
On the infrastructure front, Huntress Labs describes Chinese-speaking attackers abusing a compromised SonicWall VPN as the front door, then dropping a custom VMware ESXi escape toolkit likely developed as a zero‑day as far back as early 2024. Once inside, they aimed to pop the hypervisor, bypassing guest isolation so a single phished admin or vulnerable VM could cascade into full datacenter control: domain controllers, industrial control servers, you name it. CISA had to rush that ESXi bug into its Known Exploited Vulnerabilities catalog, pushing emergency patch orders to federal and critical infrastructure operators.
Cisco Talos, in turn, is tracking UAT‑7290—China-linked and officially busy in South Asia and Southeastern Europe—but US telecom analysts are eyeing its playbook as a template: one‑day exploits on edge appliances, target-specific SSH brute force, open-source web shells for persistence, and ORB, Operational Relay Box, nodes that can proxy traffic for other Chinese teams.
Defenders aren’t just doomscrolling. The new National Defense Authorization Act boosts US Cyber Command’s authority and funding to defend critical infrastructure, while CISA—despite painful cuts that experts like Brian Harrell and Suzanne Spaulding say left a “dangerous void”—is racing to finalize CIRCIA incident reporting rules so telecoms and cloud providers can’t quietly sit on breaches the way some did with Salt Typhoon.
Lessons learned? Patch edge devices first. Kill default creds. Segment management planes. Monitor for weird lateral movement from telecom infrastructure into legislative or cloud environments. And maybe most important: don’t let lawyers tell engineers to “stop looking” for intrusions because the press might notice.
I’m Ting, thanks for tuning in, listeners. Don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Name’s Ting. Let’s jack straight into Dragon’s Code: America Under Cyber Siege.
This week, the big dragon in the room is China’s state-aligned crews pushing deep into US communications and critical infrastructure. Lawmakers on Capitol Hill are still unpacking how the Salt Typhoon campaign gave Chinese intelligence years of historic access into major US telecom backbones like AT&T and Verizon, thanks in part to routers and ISP edge gear left with default admin passwords and unsegmented management networks. Techdirt reports that even after discovery, those operators found Chinese operators still quietly rooted in their core for another year, living off the land in router OS shells, abusing lawful-intercept systems, and siphoning call-detail records and signaling metadata.
According to Nextgov/FCW reporting, investigators now believe that the same Salt Typhoon ecosystem—or closely related Ministry of State Security operators—pivoted from those telecom footholds into email systems used by staff on the House Foreign Affairs, Intelligence, and Armed Services Committees. Financial Times first tied Salt Typhoon to those Hill intrusions, with staff inboxes probed for legislative timelines, sanctions drafts, and classified-adjacent chatter. Attribution here leans on shared infrastructure, overlapping malware families like ShadowPad-style loaders, and TTPs that look a lot like APT10 and other China-nexus units previously linked by Recorded Future and Cisco Talos.
On the infrastructure front, Huntress Labs describes Chinese-speaking attackers abusing a compromised SonicWall VPN as the front door, then dropping a custom VMware ESXi escape toolkit likely developed as a zero‑day as far back as early 2024. Once inside, they aimed to pop the hypervisor, bypassing guest isolation so a single phished admin or vulnerable VM could cascade into full datacenter control: domain controllers, industrial control servers, you name it. CISA had to rush that ESXi bug into its Known Exploited Vulnerabilities catalog, pushing emergency patch orders to federal and critical infrastructure operators.
Cisco Talos, in turn, is tracking UAT‑7290—China-linked and officially busy in South Asia and Southeastern Europe—but US telecom analysts are eyeing its playbook as a template: one‑day exploits on edge appliances, target-specific SSH brute force, open-source web shells for persistence, and ORB, Operational Relay Box, nodes that can proxy traffic for other Chinese teams.
Defenders aren’t just doomscrolling. The new National Defense Authorization Act boosts US Cyber Command’s authority and funding to defend critical infrastructure, while CISA—despite painful cuts that experts like Brian Harrell and Suzanne Spaulding say left a “dangerous void”—is racing to finalize CIRCIA incident reporting rules so telecoms and cloud providers can’t quietly sit on breaches the way some did with Salt Typhoon.
Lessons learned? Patch edge devices first. Kill default creds. Segment management planes. Monitor for weird lateral movement from telecom infrastructure into legislative or cloud environments. And maybe most important: don’t let lawyers tell engineers to “stop looking” for intrusions because the press might notice.
I’m Ting, thanks for tuning in, listeners. Don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI