Under the radar - Google warns new Brickstorm malware was stealing data from US firms for over a year

News
By published

Chinese state-sponsored actors are at it again, Google warns

Abstract Futuristic Red Shinny Digital Hud Square Elements Mosaic Grid Map Of China Flat Screen With Horizontal Light
(Image credit: Shutterstock)
  • Google warns UNC5221 targeted US legal, tech, and SaaS firms with Brickstorm malware for over a year
  • Campaign aimed at espionage, intellectual property theft, and long-term infrastructure access
  • Mandiant urges TTP-based threat hunting and stronger authentication to counter future attacks

US organizations across the legal, technology, SaaS, and business process outsourcing sectors were targeted by a new malware variant named Brickstorm for over a year, leading to major data loss, experts have warned.

Google’s Threat Intelligence Group (GTIG) found the threat actors behind the campaign are UNC5221, a suspected China-nexus threat known for stealthy operations and long-term persistence.

This group first targeted zero-day vulnerabilities in Linux devices and BSD-based appliances, since these are often overlooked in asset inventories and excluded from central logging. As such, they make for an ideal foothold for the attackers.

Cyber-espionage

Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials, and exfiltrate data with minimal telemetry. In some cases, the malware remained undetected for more than a year, since the average dwell time was said to be a mighty 393 days.

In many cases, they would pivot from fringe devices to VMware vCenter and ESXi hosts, using stolen credentials to deploy Brickstorm and escalate privileges.

To maintain persistence, they modified startup scripts and deployed webshells that allowed for remote command execution. They cloned sensitive virtual machines without even powering them on, and thus avoiding triggering security tools.

The campaign’s objectives appear to span geopolitical espionage, intellectual property theft, and access operations.

Since legal companies were targeted as well, the researchers suspected UNC5221 was interested in US national security, and trade topics, while targeting SaaS providers could have been used to pivot into downstream customer environments.

To counter Brickstorm, Mandiant recommends a threat-hunting approach based on tactics, techniques, and procedures (TTPs) rather than atomic indicators, which have proven unreliable due to the actor’s operational discipline.

The researchers urged businesses to update asset inventories, monitor appliance traffic, and enforce multi-factor authentication.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.