Top Highlights
- Chinese-linked hackers, dubbed Brickstorm, have conducted a highly sophisticated, long-term campaign targeting U.S. legal and tech security firms, with potential impacts extending for years.
- Their primary objectives include stealing intellectual property to identify zero-day vulnerabilities, developing future cyberattacks, and conducting espionage on national security and trade-sensitive information.
- Brickstorm’s tactics involve stealth, using unique traffic identifiers, targeting systems lacking endpoint detection, and maintaining extended dwell times—up to 400 days—while sometimes erasing traces.
- Experts warn organizations to thoroughly investigate if compromised, as Brickstorm’s activity is far more extensive than previously known, posing a significant, hard-to-detect threat with implications for many organizations.
Underlying Problem
A highly sophisticated and covert cyber espionage campaign, dubbed Brickstorm, has been infiltrating U.S. networks for extended periods, predominantly targeting legal and cybersecurity companies, with the goal of stealing intellectual property, uncovering zero-day vulnerabilities, and gathering intelligence related to national security and trade. Conducted by suspected Chinese hackers—possibly linked to groups like UNC5221 or Silk Typhoon—these actors have operated stealthily for an average of 400 days, often leaving minimal traces and targeting vulnerable systems such as VMware and endpoints lacking advanced threat detection. They exploit proprietary source code and emails of key individuals, representing a persistent, long-term threat that can affect organizations for years, as uncovered by Mandiant and Google Threat Intelligence Group (GTIG).
The researchers, who are reporting these findings, have developed detection tools and notified U.S. and international agencies to help identify and mitigate these threats. The hackers’ tactics include deleting traces of their activity, making detection exceedingly difficult, and leveraging compromised access to infiltrate downstream victims—often without their knowledge. This campaign reflects an ambitious effort aimed not just at immediate theft but at laying the groundwork for future, more damaging cyberattacks, illustrating the evolving complexity and persistence of the threat landscape.
Risk Summary
Ambitious Chinese-backed hackers, operating stealthily within U.S. networks for extended periods, pose a severe cyber threat by stealing intellectual property, targeting national security, and identifying vulnerabilities for future exploitation. Their complex campaign, dubbed Brickstorm, primarily infiltrates legal and cybersecurity firms and exploits less protected endpoints like VMware systems to remain undetected, with an average dwell time of 400 days. These actors focus on harvesting proprietary source code and spying on specific individuals to gather intelligence on international trade and security, potentially impacting numerous organizations over years. Despite limited public details on their ties to Chinese government agencies, their activities overlap with known Chinese threat groups like UNC5221 and Silk Typhoon. The attackers’ sophisticated methods, including self-removal from compromised environments and wide-ranging targets, complicate detection and response, underscoring the urgent need for thorough investigation and advanced defense measures.
Possible Next Steps
Early intervention in addressing Brickstorm malware is crucial to prevent extensive data loss, diplomatic fallout, and future cyberattack opportunities. Prompt remediation ensures the containment of the threat, minimizes operational disruption, and reduces long-term damage to organizational and national security.
Mitigation Steps
- Immediate isolation of affected systems
- Deployment of advanced malware detection tools
- Continuous network monitoring for unusual activity
- Updating and patching all vulnerable software
- Disabling unused or compromised accounts
Remediation Actions
- Conduct a comprehensive system audit
- Remove malicious files and code traces
- Reset passwords and strengthen access controls
- Implement threat intelligence-based blocking rules
- Educate staff on cybersecurity best practices
Continue Your Cyber Journey
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
