China's Cyber Crews Go Shopping: Volt Typhoon Slides Into US Power Grids While APT31 Swipes Corporate Passwords

This is your Digital Frontline: Daily China Cyber Intel podcast. Listeners, it’s Ting on Digital Frontline, and the China cyber crew has been busy. Across the last 24 hours, several US-focused threat intel feeds are flagging fresh activity linked to clusters long associated with the Ministry of State Security and the People’s Liberation Army, especially the groups commonly tracked as Volt Typhoon, APT31, and APT41. Analysts at Mandiant and CrowdStrike report renewed probing of US critical infrastructure edge devices, especially VPN appliances and older firewall models in energy, telecom, and transportation networks, with scans coming from Chinese cloud providers and bulletproof hosting in Hong Kong and Shenzhen. The big theme: quiet persistence. Volt Typhoon-style operators are still leaning on living-off-the-land techniques inside power utilities and regional ISPs, using built‑in Windows tools like PowerShell and WMI rather than malware, so they blend into normal admin noise. Microsoft’s security team and CISA warn that compromised small-town telecom and managed service providers in places like Ohio and Texas are being used as staging points into larger federal and defense contractor networks. Over in research and academia, Recorded Future and Proofpoint saw a spike in spear‑phishing targeting US universities tied to AI, quantum, and semiconductor projects. Messages pretend to be from real professors at Tsinghua University and the Chinese Academy of Sciences, inviting “collaboration” and sending booby‑trapped PDF proposals that drop custom loaders only when opened on campus networks. On the corporate side, financial services and aerospace vendors are dealing with password‑spray attacks against Outlook and Okta logins, traced to infrastructure historically used by APT31, also called Zirconium. The goal looks like long‑term access to deal data, not smash‑and‑grab ransomware. Several incident responders are calling this “pre‑positioning for leverage” in future negotiations or sanctions fights. Defensive advisories from CISA, the FBI, and NSA are doubling down on a few urgent steps. They stress immediate patching of edge gear from vendors like Cisco, Fortinet, and Palo Alto, enforcing phishing‑resistant multi‑factor authentication on all remote access, and hunting for odd command‑line usage, unusual account creation, and outbound connections to low‑reputation Chinese VPS providers. They also highlight the need to monitor logs from small subsidiaries and third‑party IT providers that often get ignored but are being heavily targeted. So here’s the Ting playbook for businesses. First, lock down identity: enforce strong MFA, kill legacy mail protocols, and review every admin account this week. Second, harden the edge: patch or replace end‑of‑life VPNs and firewalls, turn on logging, and ship those logs to a SIEM that someone actually watches. Third, assume compromise and hunt: create detections for excessive PowerShell, RDP from unusual locations, and data being exfiltrated to unfamiliar Asian IP ranges at odd hours. Finally, rehearse: run a China‑style intrusion tabletop with your execs so that if Volt Typhoon or APT41 walks in the front door, your team doesn’t panic, they execute. I’m Ting, thanks for tuning in to Digital Frontline. Make sure you subscribe so you don’t miss tomorrow’s intel. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta