Chinese cyber spies have been lurking in the networks of critical organizations for years, infecting infrastructure with sophisticated malware and stealing data, government agencies and private experts warn.
According to a joint advisory from CISA, the NSA, and the Canadian Cyber Security Centre, at least eight government agencies and IT companies have fallen victim to the Brickstorm backdoor , which operates on Linux, VMware, and Windows environments.
The statement from CISA spokesperson Nick Andersen also underscores the scale of the problem: he says the actual number of victims is likely higher and that Brickstorm itself is an “extremely advanced” platform that allows Chinese operators to entrench themselves in networks for years, laying the groundwork for sabotage.
In one of the incidents investigated by CISA, attackers gained access to an internal network in April 2024, downloaded Brickstorm onto a VMware vCenter server, and maintained access until at least early September.
During this time, they managed to penetrate domain controllers and an ADFS server, stealing encryption keys. Google Threat Intelligence, which first reported Brickstorm in the fall, urges all organizations to scan their infrastructure. Analysts estimate that dozens of companies in the United States have already been affected by this campaign, and attackers continue to refine their tools.
Mandiant links the attacks to the UNC5221 group and has documented compromises across industries, from legal services and SaaS providers to technology companies. Experts note that hacking edge devices and escalation to vCenter have become common tactics for attackers, who can also target downstream victims.
In a separate report, CrowdStrike attributes Brickstorm to the Warp Panda group, which has been active since at least 2022, and describes similar attack vectors, including infiltrating the VMware environments of U.S. companies and conducting intelligence work for the Chinese government.
According to CrowdStrike , in several cases Warp Panda also deployed previously unknown Go implants , Junction and GuestConduit , on ESXi servers and virtual machines, and prepared sensitive data for exfiltration. Some incidents also affected Microsoft Azure cloud: attackers obtained session tokens, tunneled traffic through Brickstorm, and downloaded sensitive material from OneDrive, SharePoint, and Exchange. They even managed to enroll new MFA devices , ensuring stealthy, long-term persistence in guest environments.
Palo Alto Networks specialists confirm the continuity and depth of these groups’ penetration. According to Unit 42 analysts, Chinese operators use unique files and proprietary backdoors for each attack, making them extremely difficult to detect.
Their prolonged and covert activity within networks makes it difficult to assess the actual damage and allows attackers to plan large-scale operations long before their presence is detected.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
