Cybersecurity authorities revealed Thursday details about the sophisticated Brickstorm campaign, a suspected China state-sponsored espionage operation that has been active since at least 2022. Google previously flagged the campaign in September, and a joint analysis from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Canadian Centre for Cyber Security highlights the attackers’ sustained ability to gain undetected, long-term access to critical infrastructure and government networks.
This persistent intrusion aims to enable lengthy access for data theft and potential sabotage, according to CISA. The malware, described as “terribly sophisticated,” has allowed attackers to maintain access for an average of 393 days, facilitating immediate data exfiltration and subsequent malicious activities discovered by Google Threat Intelligence Group. Dozens of U.S. organizations are believed to be impacted, with potential for further downstream victims.
Brickstorm Campaign Targets Critical Infrastructure
The Brickstorm campaign specifically targets VMware vSphere and Windows environments, employing techniques designed to obscure its presence and facilitate lateral movement within victim networks. The malware is also designed to automatically reinstall or restart itself if disrupted, demonstrating a high degree of resilience. CISA has provided indicators of compromise based on eight collected samples to aid in detection.
Attribution for these attacks points to China state-sponsored actors, who are primarily targeting organizations in the government, IT, and legal services sectors. Additionally, the attackers are focusing on edge devices, software-as-a-service providers, and business process outsourcers as initial footholds to access downstream targets. While specific numbers of affected government agencies and the exact nature of the stolen data remain undisclosed, officials suggest the scope of impact is likely broader than currently uncovered.
Evolution of Cyber Tradecraft
Both CrowdStrike, attributing the activity to “Warp Panda,” and Google Threat Intelligence Group, identifying it as “UNC5221,” place the Brickstorm campaign’s origins at least as far back as 2022, with intrusions not being detected until the summer of the previous year. This timeline indicates a significant period of undetected operations.
The continuous expansion of the attackers’ infrastructure, development of new tools, and their ability to exploit cloud misconfigurations suggest the campaign remains highly active, according to CrowdStrike. The group has also deployed previously unknown implants, Junction and GuestConduit, with all observed malware written in Golang, a programming language known for efficiency and cross-platform compatibility.
Strategic Espionage and Data Loss
The threat actors are reportedly stealing configuration data, identity metadata, documents, and emails that align with China’s government interests. While destructive actions have not been observed, the intelligence value of the acquired data is considered significant, providing state actors with insights into infrastructure mapping, dependencies, and positioning for future operations. This “espionage with strategic depth” makes the campaign particularly concerning.
Details of a 2024 attack on an unnamed organization illustrate the group’s operational methods. Authorities are still investigating crucial details of that incident, including the initial access vector, the timeline of webshell implantation, and how the attackers obtained credentials for lateral movement. The incident involved the exfiltration of Active Directory databases and the use of compromised managed service provider accounts to gain access to sensitive servers and deploy Brickstorm.
The Brickstorm campaign represents an evolution in tradecraft compared to previous China-nexus cyberespionage efforts, demonstrating a sophisticated understanding of multi-cloud environments and identity fabrics. The sustained lack of insight into the full scope of attained goals and the potential long-term implications of these persistent backdoors remains a significant concern.
The campaign effectively blends objectives, encompassing espionage, intellectual property theft, and the establishment of persistent access for future malicious activities. The attackers exhibit remarkable stealth by exploiting network gaps where detection tools are not deployed and by prioritizing the compromise of perimeter and remote access infrastructure, segments where log retention is often inadequate for determining initial access vectors.
Identifying this activity is exceptionally challenging due to its focus on poorly inventoried and unmonitored appliances and edge devices. This level of operational security and the prioritization of “unmanageable” devices position the Brickstorm campaign among the most evasive nation-state activities being tracked.
The next steps involve continued investigation by cybersecurity agencies and private sector researchers to identify further victims and understand the full extent of the compromised data. The ongoing nature of the campaign means that organizations must remain vigilant and implement robust security measures to detect and mitigate similar threats.