Chinese APT Deploys Cross-Platform ‘Brickstorm’ Backdoor, Burrows for Years in Critical Networks
Chinese cyber-espionage actors have spent years burrowed, undetected, within the networks of critical organizations, infiltrating infrastructure with sophisticated malware and exfiltrating sensitive data, government agencies and private researchers warn. According to a joint advisory from CISA, the NSA, and the Canadian Centre for Cyber Security, at least eight government bodies and IT companies have fallen victim to the Brickstorm backdoor — a tool operating seamlessly across Linux, VMware, and Windows environments. The scale of the threat is underscored by CISA official Nick Andersen, who noted that the true number of victims is almost certainly higher and described Brickstorm as “an exceptionally advanced” platform that allows operators of the PRC to entrench themselves in networks for years, quietly laying the groundwork for sabotage.
In one incident investigated by CISA, attackers gained access to an internal network in April 2024, deployed Brickstorm on a VMware vCenter server, and retained their foothold until at least early September. During this period, they breached domain controllers and an ADFS server, stealing cryptographic keys. Google Threat Intelligence, which first documented Brickstorm in the autumn, urges all organizations to proactively scan their environments before full compromise occurs. Analysts estimate that dozens of U.S. companies have already been affected, and the attackers continue to refine their toolset.
Mandiant attributes the campaign to the threat group UNC5221 and has observed compromises across a wide spectrum of sectors — from legal services and SaaS providers to technology firms. Researchers note that the compromise of edge devices followed by lateral movement into vCenter environments has become a hallmark tactic, enabling attackers to pivot toward downstream victims. In a separate report, CrowdStrike links Brickstorm to the Warp Panda group, active since at least 2022, and describes similar attack vectors, including intrusions into VMware environments at U.S. organizations and reconnaissance activities conducted on behalf of the Chinese government.
According to CrowdStrike, Warp Panda has in several cases deployed previously unknown Go-based implants — Junction and GuestConduit — onto ESXi servers and virtual machines, while staging sensitive data for exfiltration. Some intrusions extended into Microsoft Azure, where attackers seized session tokens, tunneled traffic through Brickstorm, and downloaded confidential data from OneDrive, SharePoint, and Exchange. They were even able to register new MFA devices, securing covert, long-term persistence within cloud environments.
Experts at Palo Alto Networks further confirm the persistence and depth of these intrusions. Unit 42 analysts report that Chinese operators employ unique files and bespoke backdoors for each compromise, making detection extraordinarily difficult. Their prolonged, stealthy presence within networks obscures the true extent of the damage and enables adversaries to plan major operations long before their foothold is discovered.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
