PRC spies Brickstromed their way into critical US networks and remained hidden for years

Steven

PRC spies Brickstromed their way into critical US networks and remained hidden for years

Summary

Chinese state-linked actors used a sophisticated backdoor called Brickstorm to gain long-term access to multiple critical US networks, including government services and IT organisations. US and Canadian agencies (CISA, NSA, Canadian Cyber Security Centre) issued a joint alert after private security firms including Google/Mandiant, CrowdStrike and Palo Alto Networks tracked intrusions that lasted months or even years.

The malware targets Linux, VMware and Windows environments, with attackers pivoting from edge devices to VMware vCenter and cloud services to maintain persistence, steal cryptographic keys and exfiltrate data — notably Microsoft 365 content from OneDrive, SharePoint and Exchange.

Key Points

  • State-backed actors deployed Brickstorm backdoors across Linux, VMware (vCenter/ESXi) and Windows systems to achieve persistent access.
  • CISA, NSA and the Canadian Cyber Security Centre issued a joint alert after dozens of US organisations were impacted; publicly confirmed victims include at least eight government and IT organisations.
  • Google Threat Intelligence / Mandiant first raised the alarm and published an open-source Brickstorm scanner on GitHub; organisations are strongly advised to run it.
  • CrowdStrike attributes activity to a China-linked group called Warp Panda; Mandiant has linked intrusions to UNC5221 — different vendors emphasise overlapping but evolving toolsets and techniques.
  • Attackers exploited internet-facing edge devices, used valid credentials or vulnerabilities to pivot to vCenter, and deployed additional implants (Junction, GuestConduit) to compromise ESXi hosts and guest VMs.
  • Adversaries stole cryptographic keys, registered MFA devices for persistence in some cases, and exfiltrated sensitive SharePoint and email data via token replay and tunneled traffic.
  • Extended dwell time and custom per-victim persistence mechanisms make detection difficult and increase potential damage and downstream risk.

Context and Relevance

This incident underscores an ongoing trend: sophisticated nation-state crews increasingly target IT service providers, SaaS firms and infrastructure to reach downstream victims. By attacking vCenter/virtualisation and cloud service credentials, adversaries gain broad, stealthy access that can persist for months. The joint government-private response highlights the cross-sector urgency and the need for defenders to prioritise visibility into VMware environments, edge appliances and cloud identity hygiene.

Why should I read this?

Short and blunt: if you run IT, cloud, or security, this is stuff you need to know — and fast. The piece shows how attackers quietly piggyback on common infrastructure (vCenter, edge kit, Microsoft 365) to stay inside networks for ages. Running the Mandiant Brickstorm scanner and reviewing VMware/cloud identity controls could save you a world of pain.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/04/prc_spies_brickstrom_cisa/