Dragon's Code: China's Fake Certificate Shop Is Hacking America's Power Grid and Water Supply cover art

Dragon's Code: China's Fake Certificate Shop Is Hacking America's Power Grid and Water Supply

Dragon's Code: China's Fake Certificate Shop Is Hacking America's Power Grid and Water Supply

Listen for free

View show details
This is your Dragon's Code: America Under Cyber Siege podcast. I’m Alexandra Reeves, and this is Dragon’s Code: America Under Cyber Siege. Over the last few days, US networks have been wrestling with one of the most sophisticated waves of Chinese cyber operations we’ve seen outside an open crisis. According to Microsoft’s security blog, the newly exposed “Fox Tempest” malware‑signing service has become a kind of underground certificate authority for espionage crews linked to the Chinese state, quietly minting trusted‑looking digital signatures so malicious code slides past corporate defenses. Here’s how the playbook worked. First, threat actors used living‑off‑the‑land tactics: phishing against IT admins at US energy co‑ops and regional water authorities, then abusing built‑in tools like PowerShell and Windows Management Instrumentation so activity blended into normal admin traffic. Once in, they pulled down payloads that had been signed by Fox Tempest, giving their malware the same cryptographic “halo” as legitimate software. Security appliances saw a trusted signature and let it through. According to Microsoft’s incident responders, several US critical infrastructure operators were hit in this campaign’s first wave: industrial control gateways in the power grid, remote access servers at a Western water utility, and a cloud management console used by a transportation logistics provider serving East and Gulf Coast ports. The goal wasn’t immediate destruction; it was persistence and positioning. They quietly mapped OT networks, scraped VPN configs, and planted backdoor services that could be activated later. Attribution came from a mix of telemetry and tradecraft. Analysts at Microsoft and other firms noticed Fox Tempest was recycling certificate request infrastructure previously tied to Chinese groups that US Cyber Command labels as Volt Typhoon affiliates. Command‑and‑control domains pointed back to infrastructure historically used against Guam telecom and US maritime targets. Even the schedule of operations matched Beijing business hours, with coordinated bursts of activity around 2 p.m. Beijing time. In response, defenders moved fast. Microsoft pushed revocation of the abused certificates and updated Defender rules; organizations that had Microsoft’s recommended blocking policies in place were able to stop hands‑on‑keyboard activity before attackers could pivot deeply into OT. CISA issued an advisory to US critical infrastructure operators, urging immediate review of code‑signing trust stores, segmentation between IT and OT, and deployment of behavioral analytics rather than relying solely on signatures. At RSA Conference, several experts told listeners that this week proved two hard truths. First, China is investing in industrial‑scale stealth, not smash‑and‑grab: they want durable access to American infrastructure they can flip like a switch. Second, trust itself is now an attack surface. As one DHS official put it, “If your defense strategy begins and ends with ‘Is it signed?’ you’ve already lost.” The lessons learned are blunt. Assume your certificates can be forged, your admin tools can be turned against you, and your quietest logs may hold the loudest warnings. Build verification layers, hunt continuously, and treat every critical system as if an adversary is already inside. Thanks for tuning in, and make sure you subscribe so you don’t miss the next briefing. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta
adbl_web_anon_alc_button_suppression_c
No reviews yet