PRC spies Brickstormed their way into critical US networks and remained hidden for years

Steven

PRC spies Brickstormed their way into critical US networks and remained hidden for years

Summary

US and Canadian agencies, plus multiple security firms, warn that China-linked cyber operators used a sophisticated backdoor called “Brickstorm” to maintain long-term access to critical US networks. The campaign affected dozens of organisations, including government services, IT providers and SaaS firms. The malware operates across Linux, VMware and Windows environments and was frequently deployed to VMware vCenter and ESXi hosts to enable persistent access, credential theft and data exfiltration. Researchers cite ties to groups tracked as UNC5221 and a newly profiled China-nexus cluster called Warp Panda.

Key Points

  • CISA, NSA and the Canadian Cyber Security Centre issued joint alerts about Brickstorm infections across public-sector and IT organisations.
  • Brickstorm is a cross-platform backdoor affecting Linux, VMware and Windows systems and was installed on VMware vCenter and ESXi hosts.
  • Attackers gained prolonged persistence — in one case from April 2024 through at least September 2024 — and stole domain credentials and cryptographic keys.
  • Google/Mandiant, CrowdStrike and Palo Alto Unit 42 have observed intrusions; CrowdStrike calls the cluster “Warp Panda,” Mandiant linked activity to UNC5221.
  • Operators exploited internet-facing edge devices to pivot into vCenter environments, deployed new Go-based implants (Junction, GuestConduit), and used Brickstorm to tunnel traffic and replay Microsoft 365 sessions.
  • Targets included legal services, SaaS, business process outsourcers, technology and manufacturing firms, plus downstream victims reached via compromised suppliers.
  • Detection is difficult: actors used custom backdoors and unique persistence mechanisms per victim; Google/Mandiant published an open-source Brickstorm scanner to help defenders.
  • Recommended actions include running the Mandiant Brickstorm scanner, hunting for unusual vCenter/ESXi activity, auditing MFA devices and tokens, and hardening edge appliances.

Context and relevance

This alert highlights a continuing trend: state-aligned actors exploiting supply-chain and infrastructure software to gain broad, long-lived access. By focusing on VMware infrastructure and cloud accounts, attackers amplify impact — compromising a single SaaS or IT provider can expose many downstream customers. The incident underlines the urgency of monitoring hypervisor and identity systems, and of sharing threat intelligence between government and industry.

Why should I read this?

Short version: if your org uses VMware, cloud identity (Microsoft 365) or relies on third-party IT/SaaS providers, this is a proper wake-up call. The write-up tells you how the bad guys get in, how long they can stick around, and what tools (like Mandiant’s scanner) you should run right now. Read it so you can act before you’re the one cleaning up a long-term breach.

Source

Source: https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/