EPISODE · Feb 18, 2026 · 3 MIN
China's Cyber Spies Played Hide and Seek in Your Power Grid for 18 Months and Nobody Noticed
from Digital Frontline: Daily China Cyber Intel · host Inception Point AI
This is your Digital Frontline: Daily China Cyber Intel podcast. Hey there, I'm Ting, and welcome back to Digital Frontline. Buckle up because the past 24 hours have been absolutely wild in the China cyber space, and I've got some seriously important intel to break down for you. Let's start with the big one. Google's Threat Intelligence Group and Mandiant just dropped a bombshell about a Chinese APT group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about CVE-2026-22769, a perfect ten on the severity scale. These folks discovered hardcoded administrator credentials buried in Dell RecoverPoint for Virtual Machines that came straight from Apache Tomcat. Unauthenticated attackers could use these credentials to gain root-level access and establish persistence. The kicker? They've been doing this for at least 18 months, and Dell only just released a patch today. But here's where it gets creepier. UNC6201 deployed multiple backdoors including Brickstorm and a newer, more sophisticated malware called Grimbolt. This second-generation backdoor is written in C Sharp and compiled using native ahead-of-time techniques to evade detection. It's basically weaponized stealth. They were targeting edge appliances and VMware infrastructure, creating what researchers call ghost NICs, or fake network interface cards, to pivot silently through victim networks. Google reports that dozens of U.S. organizations have already been compromised, though the full scope remains unknown. Now, stepping back to the bigger picture, security firm Dragos released their annual threat report yesterday revealing that a Beijing-backed group tracked as Voltzite, highly correlated with the infamous Volt Typhoon, continued embedding malware inside American energy infrastructure throughout 2025. Their goal? Taking down critical utilities. They're not stealing intellectual property here, listeners. They're positioning themselves inside the control systems that manage industrial processes for future disruption and sabotage. Dragos also identified three new state-sponsored threat groups targeting critical infrastructure. One called Sylvanite serves as an initial access broker for Voltzite, exploiting known vulnerabilities in F5, Ivanti, and SAP products within 48 hours of disclosure. Another group, Azurite, overlaps with China's Flax Typhoon and focuses on stealing operational files from engineering workstations. These aren't random attacks. This is coordinated, sophisticated infrastructure warfare. The takeaway for your organization? Patch everything immediately, especially Dell RecoverPoint and internet-facing network devices. Monitor your OT and edge networks aggressively. Get your incident response teams ready because these groups are patient, persistent, and actively dwelling in networks longer than 400 days undetected. Thanks for tuning in to Digital Frontline. Please subscribe for tomorrow's update. This ha This content was created in partnership and with the help of Artificial Intelligence AI.
What this episode covers
This is your Digital Frontline: Daily China Cyber Intel podcast. Hey there, I'm Ting, and welcome back to Digital Frontline. Buckle up because the past 24 hours have been absolutely wild in the China cyber space, and I've got some seriously important intel to break down for you. Let's start with the big one. Google's Threat Intelligence Group and Mandiant just dropped a bombshell about a Chinese APT group called UNC6201 that's been silently exploiting a critical Dell RecoverPoint vulnerability since mid-2024. We're talking about CVE-2026-22769, a perfect ten on the severity scale. These folks discovered hardcoded administrator credentials buried in Dell RecoverPoint for Virtual Machines that came straight from Apache Tomcat. Unauthenticated attackers could use these credentials to gain root-level access and establish persistence. The kicker? They've been doing this for at least 18 months, and Dell only just released a patch today. But here's where it gets creepier. UNC6201 deployed multiple backdoors including Brickstorm and a newer, more sophisticated malware called Grimbolt. This second-generation backdoor is written in C Sharp and compiled using native ahead-of-time techniques to evade detection. It's basically weaponized stealth. They were targeting edge appliances and VMware infrastructure, creating what researchers call ghost NICs, or fake network interface cards, to pivot silently through victim networks. Google reports that dozens of U.S. organizations have already been compromised, though the full scope remains unknown. Now, stepping back to the bigger picture, security firm Dragos released their annual threat report yesterday revealing that a Beijing-backed group tracked as Voltzite, highly correlated with the infamous Volt Typhoon, continued embedding malware inside American energy infrastructure throughout 2025. Their goal? Taking down critical utilities. They're not stealing intellectual property here, listeners. They're positioning themselves inside the control systems that manage industrial processes for future disruption and sabotage. Dragos also identified three new state-sponsored threat groups targeting critical infrastructure. One called Sylvanite serves as an initial access broker for Voltzite, exploiting known vulnerabilities in F5, Ivanti, and SAP products within 48 hours of disclosure. Another group, Azurite, overlaps with China's Flax Typhoon and focuses on stealing operational files from engineering workstations. These aren't random attacks. This is coordinated, sophisticated infrastructure warfare. The takeaway for your organization? Patch everything immediately, especially Dell RecoverPoint and internet-facing network devices. Monitor your OT and edge networks aggressively. Get your incident response teams ready because these groups are patient, persistent, and actively dwelling in networks longer than 400 days undetected. Thanks for tuning in to Digital Frontline. Please subscribe for tomorrow's update. This ha This content was created in partnership and with the help of Artificial Intelligence AI.
NOW PLAYING
China's Cyber Spies Played Hide and Seek in Your Power Grid for 18 Months and Nobody Noticed
No transcript for this episode yet
Similar Episodes
Mar 31, 2026 ·54m
Mar 27, 2026 ·14m
Mar 24, 2026 ·42m
Mar 20, 2026 ·42m
Mar 17, 2026 ·41m
Mar 13, 2026 ·44m