As cyber threats continue to evolve, few are as insidious as the recent Chinese cyberespionage campaign involving the BrickStorm malware. To unpack this complex operation, we’re speaking with Vernon Yai, a renowned data protection expert specializing in privacy protection and data governance. With years of experience in risk management and innovative detection techniques, Vernon has a deep understanding of advanced persistent threats (APTs) and the tactics used by state-sponsored actors. Today, he’ll shed light on how these hackers managed to lurk in networks for nearly 400 days, the stealthy tools they employed, and the broader implications for industries worldwide.
Can you give us a broad picture of this Chinese cyberespionage campaign involving BrickStorm malware and what sets it apart from other cyberattacks?
Absolutely. This campaign is a textbook example of a highly sophisticated, long-term cyberespionage operation. The attackers, primarily linked to a group known as UNC5221, used a stealthy backdoor called BrickStorm to infiltrate networks and maintain access for an average of 393 days. That’s over a year of undetected presence, which is staggering. What sets this apart is not just the duration but the precision and focus on high-value targets like legal services, SaaS providers, and tech firms. Unlike typical smash-and-grab attacks, this was about quietly siphoning off sensitive data and intellectual property, often to exploit downstream vulnerabilities. It’s a slow-burn strategy with potentially devastating ripple effects.
How were these attackers able to remain hidden in compromised networks for so long?
A big part of their success comes down to their choice of targets and tools. They often deployed BrickStorm on network appliances—think Linux- or BSD-based systems—that don’t typically have robust endpoint detection and response (EDR) solutions installed. These devices are often overlooked in security setups, making them perfect hiding spots. Additionally, the malware itself is designed for stealth, minimizing suspicious activity and blending into normal network traffic. On top of that, they used legitimate credentials, likely stolen during the initial breach, to move around undetected. It’s a combination of technical sophistication and exploiting blind spots in organizational defenses.
What can you tell us about the group behind these attacks, UNC5221, and their possible connections to other threat actors?
UNC5221 is a Chinese APT group that’s been on the radar for a while, notably tied to a 2023 attack on a major research organization. They’re highly skilled at long-term espionage, focusing on strategic data theft. There’s some debate in the research community about whether UNC5221 is the same as another group called Silk Typhoon, but current analysis suggests they’re distinct, though they may share tactics or resources. There’s also evidence of collaboration with other Chinese threat actors in this campaign, likely working in a coordinated ecosystem where different groups handle specific roles—some focus on initial access, others on persistence or data exfiltration. It’s a networked approach that makes attribution and defense incredibly challenging.
Which industries or organizations bore the brunt of this BrickStorm campaign, and why do you think they were chosen?
The primary targets included legal services, software-as-a-service (SaaS) providers, technology companies, and business process outsourcing firms. These sectors are goldmines for espionage because they hold sensitive data—think proprietary source code, client information, or critical infrastructure details. SaaS providers, for instance, are attractive because breaching one can give access to numerous downstream customers. Legal and tech firms often have intellectual property or trade secrets that can be weaponized, either for competitive advantage or to develop new exploits. The attackers seem to be playing a long game, targeting entities that offer both immediate value and a gateway to broader networks.
How did the attackers initially gain access to these networks, and what challenges do researchers face in identifying those entry points?
In at least one documented case, they exploited a zero-day vulnerability in an Ivanti product—a flaw unknown to the vendor or public at the time, giving defenders no chance to patch it. Zero-days are like skeleton keys; they let attackers slip in before anyone even knows the lock is broken. However, because the attackers lingered for so long—nearly 400 days on average—tracing the initial access vector is often like finding a needle in a haystack. Logs get overwritten, systems get updated, and evidence erodes over time. Researchers have to rely on incomplete data or behavioral patterns, which makes pinpointing that first step a real puzzle, especially when attackers cover their tracks so well.
What makes BrickStorm malware so effective at evading detection?
BrickStorm is a masterclass in stealth. It’s a backdoor designed to operate quietly, avoiding the kind of noisy behavior that triggers alerts. It often resides on appliances that aren’t monitored by traditional security tools, so there’s no antivirus or EDR to flag it. It also uses legitimate system processes and stolen credentials to blend in, making its activity look like normal admin behavior. Plus, it’s tailored for specific environments like Linux- or BSD-based systems, which are less commonly scrutinized. It’s not just about being invisible; it’s about living in the shadows of systems that most organizations don’t watch closely.
Why are the attackers so focused on VMware systems like vCenter and ESXi hosts after breaching network appliances?
VMware systems are a jackpot for attackers because they’re often the backbone of an organization’s virtual infrastructure. Gaining control of a vCenter server or ESXi host gives you oversight of multiple virtual machines, potentially across an entire network. It’s like getting the keys to the kingdom—you can monitor, manipulate, or steal data from numerous systems at once. The attackers typically pivot from compromised network appliances to these VMware systems using stolen credentials, captured by BrickStorm. From there, they can escalate privileges or deploy additional tools, making it a strategic stepping stone for deeper network dominance.
What is your forecast for the evolution of threats like BrickStorm in the coming years?
I think we’re going to see more of these slow, stealthy campaigns that prioritize persistence over immediate impact. As organizations bolster their perimeter defenses, attackers will continue targeting overlooked systems like appliances or virtual infrastructure, where security gaps often persist. I expect malware like BrickStorm to become even more modular and adaptable, with variants for different platforms—there’s already talk of a Windows version. Additionally, the focus on intellectual property theft and zero-day development signals a future where attackers don’t just exploit flaws; they create them by reverse-engineering stolen code. It’s a sobering trend, and it means businesses need to rethink how they protect not just their data, but the very tools and systems they rely on.
