Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign
Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.
The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored.
The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.
“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.”
Sneaky, sneaky
The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks.
Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.
The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.
The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”
Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.
What they want
Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”
The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.
The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”
But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.
Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.
The response
Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.
The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.
“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”
It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.
Updated 9/24/25: with additional information about past Brickstorm reporting.
