CyberWire Daily — December 5, 2025

Episode: China’s quiet crawl into critical networks

Overview

This episode centers on escalating Chinese cyber-espionage operations, major vulnerabilities actively exploited in global IT infrastructures, and developing efforts in post-quantum cryptography. The episode features news updates, technical analysis, and an expert interview with Blair Canavan from Thales, who outlines readiness for a post-quantum world and demystifies the current state of crypto “hygiene.” Other major themes include cybersecurity enforcement actions, emergent phishing threats, and privacy controversies around “smart” consumer tech.

Key Discussion Points & Insights

1. China’s Persistent Threat Activity and Emerging Vulnerabilities

[02:54–05:22]

Brickstorm Malware & State Actor Intrusions:
Chinese state-sponsored groups are using the newly identified Brickstorm malware to achieve persistent access and conduct espionage in government and IT networks.
- Agencies (CISA, NSA, Canadian Centre for Cybersecurity) analyzed eight malware samples, noting deep embedding for espionage, future disruption, or sabotage.
- No specific victims named; but CrowdStrike noted a case targeting an Asia-Pacific government entity.
Critical "React to Shell" Exploitation:
Following the disclosure of a critical insecure deserialization flaw (flight protocol) in React Server Components and Next.js:
- Chinese threat actors (Earth Lamia, Jackpot Panda) exploited it within hours.
- Affects recent React versions—estimated 39% of observed cloud environments vulnerable (Wiz).
- Attackers testing payloads and conducting manual recon.
- Proof of concept exploits publicly available; researchers published scanners to assist defenders.

“Officials warn the operation reflects China’s intent to embed deeply for espionage, disruption or future sabotage.”
— Dave Bittner [03:42]

2. Reactive Impacts and Collateral Outages

[05:22–07:01]

Cloudflare Outage:
Cloudflare’s emergency patching of the React vulnerability led to global 500 internal server errors—a side effect of proactive security, not an attack.

3. Phishing Innovation and Evolving Threat Kits

[05:44–08:03]

China-Based Phishing Kits:
- Groups shift to selling kits for creating convincing fake e-commerce sites—stealing card data, enrolling victim cards into mobile wallets.
- New lures: fake tax refunds, mobile rewards, spoofed domains (T-Mobile, AT&T).
- Experts recommend swift reporting of SMS phishing (“smishing”).
GhostFrame:
- Barracuda identified GhostFrame—a stealthy phishing kit running attacks hidden inside iframes; over 1 million attacks since September.
- Includes dynamic subdomains, anti-analysis controls, and heavily obfuscated code.

“Fake storefronts are harder to detect because they blend in to normal shopping behavior and often go unnoticed until purchases fail to arrive.”
— Dave Bittner [06:35]

4. Enforcement, Espionage, and Legal Moves

[08:03–11:46]

Ex-Twitter (X) Fined by EU:
The European Commission issued its first Digital Services Act fine—€120M to X (formerly Twitter) for misleading verification, failing ad transparency, and limiting research access.
- Sparked geopolitical friction between EU and U.S.; X called the ruling censorship.
Predator Spyware / “Aladdin” Zero Click:
- Predator, from Intellexa, abuses ad networks for “zero click” infections—malicious ads target users identified by IP.
- Intellexa is under sanctions; Predator development continues.
Russian Cybercrime Conviction:
- Physicist Artyom Koroshalov sentenced to 21 years for treason, sabotage, DDoS (alleged Ukrainian ties).
- Colleagues dispute his technical capabilities; reflects broader Russian crackdown.
Federal Contractor Breach:
- Twin brothers, Muneeb and Sohaib Akhtar, arrested after deleting, stealing data from agencies (DHS, IRS, EEOC) within minutes of being fired.
- Leveraged AI tools to cover tracks; prior convictions for similar offenses.

Interview: Post-Quantum Cryptography Readiness

Guest: Blair Canavan, Director of Alliances, PKI & PQC Portfolio, Thales
[14:09–27:01]

Key Topics

The Shift to Post-Quantum Awareness

Skepticism has faded; most organizations now see PQC readiness as urgent.
“You have to live under a rock if you’re not aware of quantum or post-quantum cryptography these days. Much like AI emerged into the scene a few years ago, post quantum is now becoming… the number one most recognizable thing that our company is hearing.”
— Blair Canavan [15:29]

Measuring Real vs. Aspirational Readiness

Actions, not words: Major orgs (esp. financial sector, governments) are conducting cryptographic discovery—identifying where legacy crypto must be replaced.
Vendors, especially major consultancy firms, now offer in-depth PQC assessment and remediation services.
Focus on “crypto hygiene”—standardizing certificate management, key management, and ensuring symmetric encryption is PQC-safe.

Hybrid Crypto Approaches

“Hybrid” means combining classical (RSA, ECC) and post-quantum algorithms (e.g., FIPS 203–205, Kyber, Dilithium).
Some orgs believe hybrid is a risky stopgap; others support gradual migration.
Reluctance to move exclusively to PQC without years of field-proven reliability.

Roadblocks to Adoption

Delays arise from skepticism, perceived timeline, resource requirements, and cost.
Hardest problems: Finding all uses of crypto, budgeting the migration, recruiting necessary expertise.

“You can’t just wave a magic wand, find all your crypto, swap it out magically overnight. This is going to take an enormous amount of resources and budget.”
— Blair Canavan [21:40]

Stakeholder Roles

Vendors and standards bodies, alongside governments and large firms, shape pace and adoption.
Early adopters (e.g., Wells Fargo, HSBC) offer best-practice blueprints.

Anticipating a “Sputnik Moment”

Unlikely to receive a public announcement when a nation-state achieves quantum advantage.
The “skeleton key” risk—quantum breaking current asymmetric crypto—remains the chief concern.

“That's like saying I've got the skeleton key to the world. I'm just going to tell everybody I have that key. I think what we have to realize is a lot of this is going to go on behind the scenes.”
— Blair Canavan [25:04]

Memorable Moments & Quotes

“Fake storefronts are harder to detect because they blend in to normal shopping behavior…”
— Dave Bittner [06:35]
“You have to live under a rock if you’re not aware of quantum or post-quantum cryptography these days.”
— Blair Canavan [15:29]
“You can’t just wave a magic wand, find all your crypto, swap it out magically overnight.”
— Blair Canavan [21:40]
“That's like saying I've got the skeleton key to the world. I'm just going to tell everybody I have that key… this is going to go on behind the scenes.”
— Blair Canavan [25:04]

Notable Segment Timestamps

02:54 — Chinese Brickstorm malware report and goals.
03:27 — React-to-shell vulnerability details, rapid exploitation.
05:22 — Cloudflare’s outage (incident vs. attack).
05:44 — Phishing innovation, e-commerce site kits.
07:01 — GhostFrame mass attacks.
08:03 — EU’s fine of X (Twitter).
09:06 — Predator spyware, Aladdin zero-click.
09:46 — Russian physicist’s sentencing.
10:41 — Twin brothers’ government data breach.
14:09–27:01 — Blair Canavan interview on PQC.

Brief: Tech & Privacy Oddity

[28:21–29:49]

Kohler’s “Dakota” smart toilet analyzes photos of waste for health insight; company claims end-to-end encryption. In reality, standard TLS is used, not “user-to-user” encryption.

“The Dakota may be the rare gadget that asks you to pay handsomely for the privilege of being misunderstood by a toilet. End to end, indeed.”
— Dave Bittner [29:40]

Conclusion

This episode illustrates the increasing sophistication and speed of nation-state cyber threats—particularly from China—against government and enterprise targets, while also highlighting the tactical and strategic challenges organizations face in achieving cryptographic resilience in the quantum era. The topics balance urgent present-day vulnerabilities with the forward-looking imperative of quantum-safe security, contextualized through expert perspective and actionable insights.

CyberWire Daily — December 5, 2025

Episode: China’s quiet crawl into critical networks

Overview

Key Discussion Points & Insights

1. China’s Persistent Threat Activity and Emerging Vulnerabilities

[02:54–05:22]

Brickstorm Malware & State Actor Intrusions:
Chinese state-sponsored groups are using the newly identified Brickstorm malware to achieve persistent access and conduct espionage in government and IT networks.
- Agencies (CISA, NSA, Canadian Centre for Cybersecurity) analyzed eight malware samples, noting deep embedding for espionage, future disruption, or sabotage.
- No specific victims named; but CrowdStrike noted a case targeting an Asia-Pacific government entity.
Critical "React to Shell" Exploitation:
Following the disclosure of a critical insecure deserialization flaw (flight protocol) in React Server Components and Next.js:
- Chinese threat actors (Earth Lamia, Jackpot Panda) exploited it within hours.
- Affects recent React versions—estimated 39% of observed cloud environments vulnerable (Wiz).
- Attackers testing payloads and conducting manual recon.
- Proof of concept exploits publicly available; researchers published scanners to assist defenders.

“Officials warn the operation reflects China’s intent to embed deeply for espionage, disruption or future sabotage.”
— Dave Bittner [03:42]

2. Reactive Impacts and Collateral Outages

[05:22–07:01]

Cloudflare Outage:
Cloudflare’s emergency patching of the React vulnerability led to global 500 internal server errors—a side effect of proactive security, not an attack.

3. Phishing Innovation and Evolving Threat Kits

[05:44–08:03]

China-Based Phishing Kits:
- Groups shift to selling kits for creating convincing fake e-commerce sites—stealing card data, enrolling victim cards into mobile wallets.
- New lures: fake tax refunds, mobile rewards, spoofed domains (T-Mobile, AT&T).
- Experts recommend swift reporting of SMS phishing (“smishing”).
GhostFrame:
- Barracuda identified GhostFrame—a stealthy phishing kit running attacks hidden inside iframes; over 1 million attacks since September.
- Includes dynamic subdomains, anti-analysis controls, and heavily obfuscated code.

“Fake storefronts are harder to detect because they blend in to normal shopping behavior and often go unnoticed until purchases fail to arrive.”
— Dave Bittner [06:35]

4. Enforcement, Espionage, and Legal Moves

[08:03–11:46]

Ex-Twitter (X) Fined by EU:
The European Commission issued its first Digital Services Act fine—€120M to X (formerly Twitter) for misleading verification, failing ad transparency, and limiting research access.
- Sparked geopolitical friction between EU and U.S.; X called the ruling censorship.
Predator Spyware / “Aladdin” Zero Click:
- Predator, from Intellexa, abuses ad networks for “zero click” infections—malicious ads target users identified by IP.
- Intellexa is under sanctions; Predator development continues.
Russian Cybercrime Conviction:
- Physicist Artyom Koroshalov sentenced to 21 years for treason, sabotage, DDoS (alleged Ukrainian ties).
- Colleagues dispute his technical capabilities; reflects broader Russian crackdown.
Federal Contractor Breach:
- Twin brothers, Muneeb and Sohaib Akhtar, arrested after deleting, stealing data from agencies (DHS, IRS, EEOC) within minutes of being fired.
- Leveraged AI tools to cover tracks; prior convictions for similar offenses.

Interview: Post-Quantum Cryptography Readiness

Guest: Blair Canavan, Director of Alliances, PKI & PQC Portfolio, Thales
[14:09–27:01]

Key Topics

The Shift to Post-Quantum Awareness

Skepticism has faded; most organizations now see PQC readiness as urgent.
“You have to live under a rock if you’re not aware of quantum or post-quantum cryptography these days. Much like AI emerged into the scene a few years ago, post quantum is now becoming… the number one most recognizable thing that our company is hearing.”
— Blair Canavan [15:29]

Measuring Real vs. Aspirational Readiness

Actions, not words: Major orgs (esp. financial sector, governments) are conducting cryptographic discovery—identifying where legacy crypto must be replaced.
Vendors, especially major consultancy firms, now offer in-depth PQC assessment and remediation services.
Focus on “crypto hygiene”—standardizing certificate management, key management, and ensuring symmetric encryption is PQC-safe.

Hybrid Crypto Approaches

“Hybrid” means combining classical (RSA, ECC) and post-quantum algorithms (e.g., FIPS 203–205, Kyber, Dilithium).
Some orgs believe hybrid is a risky stopgap; others support gradual migration.
Reluctance to move exclusively to PQC without years of field-proven reliability.

Roadblocks to Adoption

Delays arise from skepticism, perceived timeline, resource requirements, and cost.
Hardest problems: Finding all uses of crypto, budgeting the migration, recruiting necessary expertise.

“You can’t just wave a magic wand, find all your crypto, swap it out magically overnight. This is going to take an enormous amount of resources and budget.”
— Blair Canavan [21:40]

Stakeholder Roles

Vendors and standards bodies, alongside governments and large firms, shape pace and adoption.
Early adopters (e.g., Wells Fargo, HSBC) offer best-practice blueprints.

Anticipating a “Sputnik Moment”

Unlikely to receive a public announcement when a nation-state achieves quantum advantage.
The “skeleton key” risk—quantum breaking current asymmetric crypto—remains the chief concern.

“That's like saying I've got the skeleton key to the world. I'm just going to tell everybody I have that key. I think what we have to realize is a lot of this is going to go on behind the scenes.”
— Blair Canavan [25:04]

Memorable Moments & Quotes

“Fake storefronts are harder to detect because they blend in to normal shopping behavior…”
— Dave Bittner [06:35]
“You have to live under a rock if you’re not aware of quantum or post-quantum cryptography these days.”
— Blair Canavan [15:29]
“You can’t just wave a magic wand, find all your crypto, swap it out magically overnight.”
— Blair Canavan [21:40]
“That's like saying I've got the skeleton key to the world. I'm just going to tell everybody I have that key… this is going to go on behind the scenes.”
— Blair Canavan [25:04]

Notable Segment Timestamps

02:54 — Chinese Brickstorm malware report and goals.
03:27 — React-to-shell vulnerability details, rapid exploitation.
05:22 — Cloudflare’s outage (incident vs. attack).
05:44 — Phishing innovation, e-commerce site kits.
07:01 — GhostFrame mass attacks.
08:03 — EU’s fine of X (Twitter).
09:06 — Predator spyware, Aladdin zero-click.
09:46 — Russian physicist’s sentencing.
10:41 — Twin brothers’ government data breach.
14:09–27:01 — Blair Canavan interview on PQC.

Brief: Tech & Privacy Oddity

[28:21–29:49]

Kohler’s “Dakota” smart toilet analyzes photos of waste for health insight; company claims end-to-end encryption. In reality, standard TLS is used, not “user-to-user” encryption.

“The Dakota may be the rare gadget that asks you to pay handsomely for the privilege of being misunderstood by a toilet. End to end, indeed.”
— Dave Bittner [29:40]

China’s quiet crawl into critical networks.

Powered by Wave AI

Summary

CyberWire Daily — December 5, 2025

Episode: China’s quiet crawl into critical networks

Overview

Key Discussion Points & Insights

1. China’s Persistent Threat Activity and Emerging Vulnerabilities

2. Reactive Impacts and Collateral Outages

3. Phishing Innovation and Evolving Threat Kits

4. Enforcement, Espionage, and Legal Moves

Interview: Post-Quantum Cryptography Readiness

Key Topics

The Shift to Post-Quantum Awareness

Measuring Real vs. Aspirational Readiness

Hybrid Crypto Approaches

Roadblocks to Adoption

Stakeholder Roles

Anticipating a “Sputnik Moment”

Memorable Moments & Quotes

Notable Segment Timestamps

Brief: Tech & Privacy Oddity

Conclusion

Summary

CyberWire Daily — December 5, 2025

Episode: China’s quiet crawl into critical networks

Overview

Key Discussion Points & Insights

1. China’s Persistent Threat Activity and Emerging Vulnerabilities

2. Reactive Impacts and Collateral Outages

3. Phishing Innovation and Evolving Threat Kits

4. Enforcement, Espionage, and Legal Moves

Interview: Post-Quantum Cryptography Readiness

Key Topics

The Shift to Post-Quantum Awareness

Measuring Real vs. Aspirational Readiness

Hybrid Crypto Approaches

Roadblocks to Adoption

Stakeholder Roles

Anticipating a “Sputnik Moment”

Memorable Moments & Quotes

Notable Segment Timestamps

Brief: Tech & Privacy Oddity

Conclusion