Particle.news
Download on the App Store
8 ARTICLES
·
2h ago

Google, Mandiant Expose China-Linked ‘Brickstorm’ Campaign With Year-Long Stealth in U.S. Networks

Investigators issued a Unix scanner plus hunting guidance, warning many organizations will uncover active or historical compromises for years.

© CARL DE SOUZA/AFP via Getty Images
Image
China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware
Image

Overview

  • Researchers tie the intrusions to UNC5221 and related China-linked clusters, while stopping short of confirming direct government sponsorship.
  • Victims span U.S. legal services, technology firms, SaaS providers and BPOs, with attackers pursuing intellectual property, trade and national-security intelligence, and access to downstream customers.
  • BRICKSTORM persisted for an average of 393 days by running on appliances and VMware vCenter/ESXi hosts that lack traditional EDR coverage, with operators rotating infrastructure and sometimes deleting malware to thwart forensics.
  • At least one breach began with a zero‑day exploit against an Ivanti Connect Secure edge device, after which the attackers used stolen credentials to pivot and maintain persistence.
  • The backdoor can serve files, proxy traffic and execute commands, and was used to exfiltrate emails via Microsoft Entra ID Enterprise Apps; Google and Mandiant expect scanning to surface many more active or historic compromises over the next one to two years.