CyberWire Daily - Confronting China’s Expanding Cyber Threats [Threat Vector]
Episode Date: January 1, 2026While our team is out on winter break, please enjoy this episode of Threat Vector from our partners at Palo Alto Networks. In this episode of Threat Vector, host David Moulton talks with Wendi Whi...tmore, Chief Security Intelligence Officer at Palo Alto Networks, about the increasing scale of China-linked cyber threats and the vulnerabilities in outdated OT environments. Wendi shares critical insights on how nation-state threats have evolved, why AI must be part of modern defense strategies, and the importance of real-time intelligence sharing. They also dive into scenario planning as a key to resilience. If you want to know how cybersecurity leaders are preparing for the next wave of threats, this episode is a must-listen. From the show: ASEAN Entities in the Spotlight: Chinese APT Group Targeting Preparing for a Secure Paris 2024 Unit 42 Predicts the Year of Disruption and Other Top Threats in 2025 FBI talks about how China is testing AI in cyberattacks Hear more from Wendi Whitmore on Threat Vector: Episode 5: From Nation States to Cybercriminals Join the conversation on our social media channels: Website: https://www.paloaltonetworks.com/ Threat Research: https://unit42.paloaltonetworks.com/ Facebook: https://www.facebook.com/LifeatPaloAltoNetworks/ LinkedIn: https://www.linkedin.com/company/unit42/ YouTube: @paloaltonetworks Twitter: https://twitter.com/PaloAltoNtwks About Threat Vector Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends. The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers. Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization. Palo Alto Networks Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. http://paloaltonetworks.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
I think for threat intelligence sharing to be effective, though, is it needs to be contextualized and actionable,
and it can't be slow and gated and working through bureaucratic means in order to get the information shared.
So the reality there is there is still a lot of person-to-person and organization-to-organization sharing that's going on.
But I think that's actually happening in a much more effective level than previously.
The Russia-Ukraine invasion really was a catalyst for a lot of that.
And that's not to say that there wasn't great information sharing going on before because there was.
But when it actually came time to say, wow, okay, we need, there are people's lives we need to protect here.
I think a lot of those barriers broke down.
Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.
Today I'm speaking with Wendy Whitmore, Chief Security Intelligence Officer at Palo Alto Networks.
Wendy brings more than two decades of experience leading incident response and threat intelligence teams at organizations like Mandia, CrowdStrike, IBMX Force, and Unit 42 for Palo Alto Networks.
She's an inaugural member of the DHS Cyber Safety Review Board and serves on the Cybersecurity Advisory Board at Duke University and the University of San Diego.
Wendy is a highly respected voice in national and global cybersecurity strategy with extensive experience countering nation-state and AI-driven threats.
Today, we're going to talk about the evolving scale and sophistication of Chinese nation-state
cyber threats, the targeting of critical infrastructure, and how defenders can better prepare
in a rapidly accelerating AI environment.
This topic is critically important because we're witnessing nation-state actors, particularly
from China, operating with unprecedented speed, persistence, and global reach.
Threatening not just corporate intellectual property, but critical infrastructure
that underpins everyday life.
As defenders, we need new strategies,
faster detection, and greater resilience
across entire ecosystems.
Here's our conversation.
Wendy, welcome back to Threat Factor.
Good to see you again.
Thanks, David.
Happy to be here.
Great to see you.
I know that you've been busy lately.
Congrats on the new role.
Thank you.
And you've been on panels, even today.
And I wanted to get into some of the conversations that you've been having, talking about some of the Chinese threat actors and some of the tactics and behaviors that you're seeing.
Yeah, well, I think, first of all, it's a busy week, right?
A lot of hot topics going on here at RSA.
And China as a nation state threat actor is certainly one of those that I think is at the top of everyone's list.
So we had the opportunity to cover various typhoon actors, what we're seeing,
and then really the broader spectrum of Chinese nation state cyber threat activity.
So I think it's fair to say, so I have been conducting investigations in this space,
specifically towards nation state actors for almost 25 years.
It's been a minute.
It's a while.
And we have never seen before during that time frame the scale of persistent threat.
activity that we're seeing today from Chinese nation state threat actors. So hands down,
you know, barn on, that is the reality today. And I think that what makes it a little different
than what we've seen before is their ability to operate and collect information and data at
scale, whether it's from critical infrastructure entities, whether it's for corporate espionage
purposes, whether it's simply data collections to be used for a later time. And so that's
concerning and that's certainly at the top of everyone's mind. Some examples of that are like
we see CVEs being exploited at scale to a degree that we have not seen before. We're looking at
within hours and some cases minutes in mass vulnerabilities being identified and then systems
being systems and applications and services being identified for future exploitation. So that's
a concern whether you're a critical infrastructure operator or you're running a technology
organization, that those continue to be extremely pervasive.
I think another example of the scale we're seeing, when you look at government espionage,
within the United States, we talk a lot about threats to the United States.
But the reality is, if you're an ally of the Chinese government, you're just as likely
to be impacted by espionage as people who are not on the top of that ally list.
So last year, we released research about 23 different government.
organizations in Cambodia being compromised at nearly the same time.
So we're looking at whole of government scale operations.
And then specifically related to China and Taiwan, right?
We're seeing any business entities, government organizations that are operating within the
South China Sea, Europe in particular, has 40% of its trade moving through the South China
Sea.
So at any time, that's a concern in terms of just the discussions that are at the forefront of
everyone's mind related to trade negotiations and international trade policy and how are countries
going to be reacting to that. All of it's super intertwined. So that's definitely at the top of the
list in terms of concerns. Wendy, that sounds incredibly concerning. What are some of the
implications of the outdated OT systems, those with remote access? How are those systems playing
into some of the cases that you're looking into?
Well, I think the biggest concern there is that in many cases,
industrial control systems and OT environments were not designed with security in mind.
They were designed with uptime and availability as their primary goal.
And so that means security is oftentimes bolted on after the fact.
So now you have legacy systems, which in many cases are end of life.
They're not able to be patched, and they're critical to making sure manufacturing environments
are running correctly, as well as other types of.
of environments that are leveraging that technology. So we see this not only in ICS environments,
but we see it even in corporate IT environments where attackers are specifically going to devices
at the edge that don't have the same types of endpoint protection in place in order to compromise
those and leverage them as a way into the environment. So that continues to be really a major
concern in an area that will likely continue to be for some time moving forward.
You know, we talked about this on the panel I was on, about the idea of rethinking air-gapping
and whether that's really an effective security strategy, because unfortunately, we all know
that people are at the heart of getting security done, and what you have is administrators
who have already a tough job to do.
They're pulled in a million different directions, and so what happens?
They tend to reuse passwords both within the corporate IT environment as well as within the industrial
control systems environments, and those oftentimes are a big target.
from these attackers.
I think though that one of the bigger issues
is just a need for a cultural mindset shift.
So we're working with an organization
that we're responding to a breach hat
and it has a number of OT environments
as well as their corporate IT environment.
And in the wake of the breach,
those executives and the security teams realize,
well, okay, we really need to rethink
the entire way that we approach security.
The way we've been doing it isn't going to be effective
moving forward in terms of being able to have insight and visibility at the edge within the OT
environment. They realize the criticality of it. But unfortunately for them, they realize that after
the fact and after a breach, we want more organizations to be thinking of this proactively and be looking
at how they can implement really zero trust principles within those OT environments. Yeah, you're
reminded me of sitting across from my doctor a couple years ago. And he was telling me,
Yeah, it's time for some blood pressure medicine.
And, you know, it was after the fact that I got the message.
And it would have been better had I started running, maybe cut down on the salt and the caffeine.
I don't know when some of these lessons learned are going to show up for organizations that are moving fast and realizing that maybe uptime and security can be equal partners and what they're looking to achieve in the way that they're measuring things.
or we're going to have this massive scale of attacks
that you're talking about with the vaults and maybe others.
Well, I think there is, like, if there's a shred of good news,
I think the reality is that AI is actually going to make changes in that
because what you're talking about is just this bigger picture,
like software is oftentimes built and hardware systems are built,
and then security is tested for after the code is developed.
And so now what you're seeing is AI has the ability to inject into that software,
life cycle and that entire process to where we can identify potential vulnerabilities in the code
much earlier than we used to. We can identify where there's hard-coded passwords, where there's
potential CVEs that can be exploited, and that's all part of this continuous development
life cycle that's fixed prior to being shipped. So that is going to make some impact.
Well, and that's really exciting because the cost of fixing it before it's deployed, and as you
said, you can't update it its end of life. That changes the game significantly.
Maybe there's some other wins that we can talk about, and I'd want to focus on defenders
where they're finding some success.
Can you talk about what's working well maybe with threat detection and intel sharing?
I do think intel sharing is happening more effectively than ever before, and I'll provide
two cases for that, two use cases.
So one, in the panel I was on yesterday, we talked specifically about the intelligence sharing
that goes on between the threat detection teams at Microsoft
and our intelligence teams within Unit 42
and larger Palo Alto networks.
That's an ongoing dialogue.
People are in Slack channels together.
They're on the phone together on a daily basis,
sharing information in real time.
So I think for threat intelligence sharing to be effective, though,
is it needs to be contextualized and actionable,
and it can't be slow and gated
and working through bureaucratic,
means in order to get the information shared. So the reality there is there is still a lot of
person to person and organization to organization sharing that's going on. But I think that's
actually happening at a much more effective level than previously. What's allowing it to be getting
better? Like what are the cultural things? What are the shifts, the policy changes? Yeah, I think
culturally, my perspective is that the Russia-Ukraine invasion really was a catalyst for a lot of that.
And that's not to say that there wasn't great information sharing going on before because there was.
But when it actually came time to say, wow, okay, we need, there are people's lives we need to protect here.
I think a lot of those barriers broke down between competitors in particular.
So when you look at the intelligence dialogue that's going on between all of these organizations that traditionally compete to sell products to sell services, I think that barrier is really decreased.
So, Wendy, what's next?
How can organizations better prepare through scenario planning?
I think scenario planning and live action kind of testing and exercises is one of by far the best opportunities organizations.
have to prepare. But in order to do that successfully, there are some key pieces. One,
it cannot be just security professionals who are involved in that. It really needs to be from the
boardroom to the security operations center, and then better yet, extending to partners,
vendors, external counsel, law enforcement, and even better yet, bring the regulators into
this dialogue. All of those organizations, if working together, are really,
there to help protect organizations against these threats to make sure that they are resilient
when there is a breach. And so the most prepared organizations we see are having that level of
dialogue and preparedness and making sure that those relationships are in place in advance of an
attack and that they're not only looking at like what happens if our organization goes down,
but they're looking at what if one of my most critical supply chain providers goes down?
What do we do then? How do we communicate with them during this event?
event, what kind of new infrastructure are we going to be setting up, and that's everything
from the hardware that may be required to run the network, to how are we going to, like,
what email devices, for example, what email accounts are we going to communicate from, right?
All of those are things that should be included in that pre-planning.
Another example, though, kind of related to your last question with private and public partnerships,
An example of a tabletop exercise that we at Unit 42 recently participated in included Microsoft.
It included many other organizations within JCDC, and it was actually related to an AI attack.
And so those are the type of really comprehensive planning scenarios that we all want to be involved in,
and we encourage our clients to participate in.
Because if one of your cloud providers, for example, goes down, that becomes now a critical infrastructure provider.
We all need to be prepared to figure out how we're going to work through those scenarios.
Wendy, when you're talking about that, I'm going back to a comment you made.
In 25 years of watching APTs out of China, you've never seen the scale, the speed,
you've never seen that type of volume of attack.
Is it a new type of training that's required because of AI, because of the strategic,
level that these attacks are these attacks that you're seeing. That's the new normal. That's the new
baseline of what organizations should be thinking about and doing. Absolutely. I agree with that.
I think that you're looking at a level of breadth across an organization and their entire ecosystem
of providers and experts that they work with on a daily basis to come together to really
ensure that the entire ecosystem is resilient. We, I think, agree.
example of this is the work we did with the Olympics last year. So the Paris Olympics and summer,
we worked with critical infrastructure providers who are providing power to the games. Transportation,
rail lines, airways, buses, infrastructure providers like the actual physical security at these
events, and then all of the financial processing systems. So not necessarily the Olympic committee
itself, which might be forefront and top of everyone's mind. But I think that shows just all of the
providers that have to come together to make some sort of big event possible. What we did was in
advance of the Olympics, we went through all kinds of scenario planning that involved everything
from a, you know, train going down to the inability to process ticketing systems into a venue
where there might be 50,000 people coming in. All of that to figure out, okay, how are we going to
adapt quickly. How are we going to stand up new network infrastructure at a moment's notice
to make sure that these events run securely? And that's the type of planning that we need
organizations to be doing about running their business and having the level of resiliency needed
for a cyber attack. Yeah, we often talk about the weakest link is the problem. And when you're
talking about integrated systems and businesses, any of those could have a weakest link inside of
them, and it takes down the entire thing. I think about the idea of the Olympics and losing
transportation or payment, and that's the game, right? You're immediately in trouble.
So let's look into the future a little bit and predict. What are some of the blind spots
that concern you? I think right now, the speed with which AI is being implemented and the level
vulnerabilities that that presents to organizations as they need to build AI within their
applications, they need to adapt and adopt technologies that are leveraging AI. It's just creating
a lot of potential for new areas of weakness that we haven't yet identified. Just this week,
the FBI released information that suggests that the Chinese government is testing AI as part
of the entire attack life cycle. And that's something we suspect not only nation states are going to be
doing, but certainly cybercriminals as well.
What's the top-step organizations should take right now?
So we often say, David, that organizations should be fighting AI with AI.
But that term can be misinterpreted or it can be kind of ambiguous.
And so what do I mean by that?
I mean organizations need to be looking at on the defensive side how they implement AI into
their workflows to give them increased visibility and increased speed to detect threats.
There is no way that we are going to defeat these adversaries if we are working at manual
speed and not taking as many of the manual tasks away from the humans, letting machines
do those and letting humans do what we do best, which is really then work on solving the most
challenging problems that exist within the space with the aid of technology that's solving
some of the larger, more processes that we can automate.
What is the one thing a listener should take away from today's conversation?
Cybersecurity has never been more important than it is today.
So the more that organizations can take that threat seriously,
know that other nation-state adversaries throughout the world
are leveraging cybersecurity to attack us, to attack our allies,
and the investments need to be made in making sure that their organization
is in a consistent shield-up posture at all times.
Wendy, thanks for a great conversation today.
I really appreciate you spending the time,
sharing the insights, talking about public-private,
talking about some of the things that you're seeing
that are going on with nation-state cyber threats.
We'll look forward to having you back on Threat Factor as soon as you're ready.
Awesome. Thank you, David.
that's it for today if you've liked what you heard please subscribe wherever you listen
and leave us your review on apple podcast or Spotify those reviews really do help me
understand what you want to hear about if you want to reach out to me directly about
the show email me at threat vector at palo Alto networks.com I want to thank our executive
producer Michael Heller our content and production teams which include Kenny Miller
Joe Benicourt and Virginia Tran Elliot Peltzman edits the show and mixes the audio
we'll be back next week until then
stay secure, stay vigilant.
Goodbye for now.