Full Report
The researchers who uncovered the “very, very advanced adversary” behind the malware said it could be a big problem years into the future. The post Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Unnamed Adversary using Brickstorm Malware
## Attribution & Identity
The threat actor is described as an "ambitious, suspected Chinese hacker" group and an "exceptionally advanced adversary." Researchers referred to them as a "next-level threat." While direct attribution to a Chinese government agency was declined, the activity shows overlap with known Chinese hacking groups.
**Known Aliases/Associated Groups:**
* Overlap observed with **UNC5221** (known for exploiting Ivanti flaws).
* Overlap observed with **Silk Typhoon** (Microsoft's designation for a Chinese government-sponsored group).
## Activity Summary
This is a sophisticated cyberespionage campaign focused on long-term persistent access ("dwell time" averaging 400 days). The primary goals are stealing intellectual property, mining national security and trade intelligence, and developing zero-day vulnerabilities for future use. The hackers establish sophisticated, stealthy access within target networks, often remaining undetected for long periods. They also use initial access to infiltrate "downstream" customers of their direct targets.
## Tactics, Techniques & Procedures
* **Long Dwell Time:** Average 400 days, indicating extreme stealth and persistence.
* **Targeting Non-Traditional EDR Systems:** Favoring systems that typically lack endpoint detection and response capabilities (e.g., email security gateways, vulnerability scanners).
* **Targeting Virtualization Infrastructure:** Consistently targeting **VMware vCenter** and **ESXi** hosts.
* **Anti-Forensic Techniques:** Attackers "clean up after themselves" at times.
* **Signature Evasion:** Hashes generated upon landing are different for essentially every system compromised.
* **Infrastructure Obscurity:** The internet protocols used between victims show no observable overlap, making tracking difficult.
## Targeting
* **Sectors:** Legal services organizations and technology companies that provide security services (SaaS providers).
* **Geography:** U.S. target networks were specifically mentioned, but the full geographic scope is unknown.
* **Victims:** Direct targets include legal and security tech firms; "downstream" customers of these primary targets using services from the compromised entities are also being infiltrated. Researchers declined to confirm if U.S. federal agencies are among the victims.
## Tools & Infrastructure
* **Malware Families Used:** **Brickstorm** (the primary malware powering the campaign).
* **Infrastructure (C2, domains, IPs):** Not detailed in the provided text, only that the attackers’ IP protocols show no overlap between victims.
* **Detection Tool:** Mandiant developed a public scanner for potential victims to check for Brickstorm activity.
## Implications
This is considered a "next-level threat" due to its extreme stealth, complexity, and unusually long dwell times. The focus on stealing IP from security firms to find future zero-day vulnerabilities presents a significant, long-term risk for the global security landscape, potentially enabling future supply chain attacks. Many victim organizations are currently unaware they have been compromised.
## Mitigations
* Utilize the provided scanner/tool from Mandiant/Google to hunt for evidence of Brickstorm activity retrospectively or currently.
* Focus threat hunting efforts on environments lacking traditional EDR visibility, specifically **VMware vCenter** and **ESXi** hosts.
* Assume potential compromise through third-party security service providers due to the downstream targeting methodology.