CyberWire Daily: “China’s cyberstorm goes global.”
Date: September 4, 2025
Host: Dave Bittner, N2K Networks
Guest: Rick Kahn, Global Director of Cybersecurity Services, Rockwell Automation
Episode Overview
This episode centers on a series of escalating global cyber threats, with a specific focus on China’s “Salt Typhoon” operation, and new tactics from advanced actors worldwide. The show also covers updates on major cyber campaigns, significant vulnerabilities, and closes with expert insight into the critical challenges facing OT/IT cybersecurity convergence in the water and wastewater sector.
Major News & Analysis Highlights
1. China’s Salt Typhoon: The New Face of State-Backed Campaigns
[02:30 - 05:00]
- Scope & Sophistication:
The New York Times reports that the "Salt Typhoon" campaign is the most ambitious Chinese cyber operation to date. Investigators discovered the state-backed operation had infiltrated telecom and other sectors across over 80 countries—potentially impacting nearly every American. - Shift in Tactics:
Unlike previous attacks that singled out specific targets, Salt Typhoon is broad and indiscriminate, “sweeping up vast amounts of data that could let Chinese intelligence track politicians, spies, and activists worldwide.” - Global Response:
Western allies, including the US, UK, Germany, and Japan issued a rare joint statement condemning the attack, calling it "unrestrained." - Quote:
“Experts say the campaign reflects China's growing cybersophistication, shifting from theft of trade secrets to deep, long-term infiltration of global communication networks to gain strategic advantage.” (Host, 04:15)
2. Major Google Outage in Southeastern Europe
[05:10 - 06:00]
- Google services (YouTube, Maps, Search, Gmail, and Drive) suffered failures across Bulgaria, Turkey, and Greece.
- Root-cause appears to be on Google’s end—not local connections—with widespread user disruption.
- Error messages referenced 5xx server errors.
3. Critical FreePBX Zero-Day Patch Issued
[06:05 - 07:00]
- Sangoma responded to active exploitation of a CVSS 10 flaw allowing database manipulation and remote code execution in FreePBX.
- Patch and firewall protections are urgently advised.
- CISA adds the flaw to its Known Exploited Vulnerabilities list, with deadlines for federal agencies.
4. Jaguar Land Rover Breach Claimed by Youth Cyber Gang
[07:10 - 08:00]
- “Scattered Lapsus Hunters” claim responsibility for a cyberattack that halted production, sharing internal screenshots.
- The group has previous ties to UK retailer breaches and is reportedly attempting extortion.
- Company response: IT system shutdowns for containment; ICO is assessing the incident.
5. Exworm Backdoor Campaign Evolves
[08:05 - 09:00]
- Tactic Shift:
Xworm is now using multi-stage infection chains and deceptive file disguises to evade detection.- Capabilities include firewall disabling, data theft, DDoS, and persistence mechanisms.
- Uses combination of Rindale encryption and base64 to hide C2 traffic.
- Adopted anti-analysis techniques: sandbox checks, mutex creation.
- Quote:
“Security experts warn its growing sophistication and prevalence highlight the urgent need for layered defenses and proactive detection strategies.” (Host, 08:50)
6. Ghost Redirector: A New China-Aligned Threat Actor
[09:05 - 10:10]
- ESET research identifies Ghost Redirector, active since Dec. 2024, compromising at least 65 Windows servers (mainly Brazil, Thailand, Vietnam).
- Toolset: Rungon backdoor, Gamshan IIS module for SEO fraud—alters content only for Googlebot.
- Entry through SQL injection and public exploits, then uses PowerShell for further access.
- Affects multiple sectors: healthcare, education, insurance, transport, retail.
7. TP-Link Router Vulnerabilities Exploited
[10:15 - 11:00]
- Two flaws—authentication bypass, command injection—affect multiple and even EOL models; linked to activity from the Quad 7 botnet (China-linked Storm 0940).
- Federal agencies must remediate by September 24.
8. US Bounty on Russian FSB Hackers
[11:05 - 12:00]
- State Dept. offers up to $10M for info leading to three Russian FSB officers’ arrest (Berserk Bear, Dragonfly).
- Involved in global targeting of critical infrastructure (Nuclear Reg. Commission, Wolf Creek Nuclear, etc.).
- FBI calls for tips; reflects ongoing threat from Russian APTs.
9. Editorial: ODNI Cuts Threaten US Cyber Defense
[12:05 - 13:00]
- Authors warn about “crippling” effects of 40% staffing cuts and the shutdown of key units at the ODNI (e.g., CTIIC).
- Quote:
“The authors argue these cuts will fragment intelligence sharing and leave the nation vulnerable, calling for continued support…” (Host, 12:55)
Special Interview: Rick Kahn, Rockwell Automation – OT/IT Convergence & Critical Infrastructure
[14:13 - 24:09]
Key Topics and Insights
1. Unique Challenges in Water/Wastewater Sector
[14:13]
Rick Kahn:
- Smaller municipalities lack the budget/staff for both IT and OT specialties.
- OT environments “look and feel like IT, but they’re not”—fragility, legacy systems, embedded non-traditional equipment abound.
- “The magic comes from… blending those two skill sets to solve problems.” ([14:58])
2. Data Context Is Key
[15:28]
Rick Kahn:
- Asset lists aren’t enough—contextual data is vital (“I need to know what that asset’s particular function in this facility is…”).
- Risk must be understood on both IT and OT terms for informed decision-making.
- “You can’t just go with IT planning—patch everything Tuesday. The real world is more nuanced.” ([16:20])
3. Who Should Bridge IT & OT?
[17:11]
Rick Kahn:
- No universal answer; sometimes board-driven, sometimes organically OT- or IT-led.
- Legacy “firewall and forget” attitudes are no longer acceptable to boards/insurance.
- Quote: “Operations are always king… we had to step back and let the parents have their battle royale…” ([17:53])
4. Modern Facility vs. Decades-Old Legacy Systems
[18:54 - 21:35]
Rick Kahn:
- Legacy (“brownfield”) systems require deep contextual understanding for security layering (e.g., digital twin, HMI redundancy, microsegmentation).
- New (“greenfield”) builds often neglect to write security requirements into specs—still seen as optional add-ons.
- Adoption improving, but “only about half the room puts their hand up” when asked if they include cybersecurity in procurement requirements. ([21:26])
5. Best Practices with Limited Resources
[21:35 - 24:09]
Rick Kahn:
- Always approach challenges as part of a phased program, not quick fixes (“Any step you make today… needs to be in support of what your ultimate goal is.” [22:30])
- Build contextualized inventories to support both technical and business cases for funding.
- Recognize that “nobody goes to zero risk”—the task is determining “how much do I have and how far do I need to go… That context helps you decide where to spend the day.”
Notable Quotes
- “Experts say the campaign reflects China's growing cybersophistication, shifting from theft of trade secrets to deep, long-term infiltration of global communication networks to gain strategic advantage.” (Host, 04:15)
- “You start to have a way more informed and more intelligent discussion and can come up with reasonable paths forward…” (Rick Kahn, 16:35)
- “Operations are always king… we had to step back and let the parents have their battle royale…” (Rick Kahn, 17:53)
- “Nobody goes to zero risk in an operational environment. The challenge is how much do I have and how far do I need to go and how much will that cost me?” (Rick Kahn, 23:50)
Closing Segment: Gmail Breach Rumor Debunked
[25:27 - End]
- Recent viral reports claimed “catastrophic” Gmail breach; Google refuted the rumors in a blog post, affirming:
- Gmail was not hacked.
- No widespread password reset was issued.
- Google blocks over 99.9% of phishing/malware.
- Reminder: “It would do us all well to pause, take a breath, and do some fact checking.” (Host, 25:55)
Summary Table of Timestamps
| Topic | Segment Start | |---------------------------------------------|--------------| | Salt Typhoon/China’s Global Campaign | 02:30 | | Google Outage in Europe | 05:10 | | FreePBX Zero-Day | 06:05 | | Jaguar Land Rover Breach | 07:10 | | Xworm Malware Evolves | 08:05 | | Ghost Redirector China-linked APT | 09:05 | | TP-Link Router Vulnerabilities | 10:15 | | Russian FSB Bounty | 11:05 | | Editorial: ODNI Cuts | 12:05 | | Interview: Rick Kahn / OT-IT in Water/Waste | 14:13 | | Gmail Breach Debunked | 25:27 |
Tone
The tone throughout is authoritative, explanatory, and measured—offering both urgency and practical advice, with a conversational touch especially in the interview segment.
Recommendations for Listeners
- Stay vigilant as threat actors increase scope and sophistication.
- Security for critical infrastructure requires cross-disciplinary, context-rich strategies.
- Fact-check cyber breach news before reacting.
- Organizational alignment and phased, context-driven programs offer the best path forward for resource-limited operators.