Full Report
'Dozens' of US orgs infected Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms.…
Analysis Summary
# Threat Actor: PRC State-Sponsored Actors (Associated with Brickstorm, potential link to UNC5221)
## Attribution & Identity
* **Attribution:** People's Republic of China (PRC) state-sponsored actors.
* **Known Aliases/Associated Groups:**
* Group previously attributed by Mandiant: Unspecified, but associated with intrusions dating back to March.
* **Warp Panda:** A new China-nexus gang identified by CrowdStrike, active since at least 2022.
* **UNC5221:** Mentioned by Palo Alto Networks/Unit 42 as leveraging similar persistence techniques alongside Brickstorm.
## Activity Summary
Dozens of US organizations have been infected by these actors, who maintained long-term access (sometimes for years) to critical networks. The primary goal involves embedding themselves for long-term access, disruption, data theft, and potential sabotage. Activity includes exploiting edge devices, gaining access to VMware environments, stealing cryptographic keys, and exfiltrating data from Microsoft 365 services. Actors were observed actively targeting organizations even after public disclosure (September report).
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting internet-facing edge devices.
- **Persistence/Core Malware:** Deploying the sophisticated **Brickstorm** backdoor across Linux, VMware, and Windows environments.
- **Lateral Movement:** Pivoting to vCenter environments often using valid credentials or vulnerabilities.
- **Privilege Escalation/Persistence:** Gained access to domain controllers and Active Directory Federation Services (ADFS) servers to steal cryptographic keys. In one instance, established persistence by registering a new MFA device using an authenticator app code after initial user account login.
- **Additional Malware/Implants:** Deployed Go-based implants named **Junction** (on ESXi hosts) and **GuestConduit** (on guest VMs).
- **Reconnaissance:** Performed rudimentary reconnaissance against an Asia-Pacific government entity.
- **Data Theft:** Accessed and downloaded sensitive SharePoint files, particularly those related to network engineering and incident response teams.
- **C2 Evasion:** Used Brickstorm implants to tunnel traffic and perform session replay against Microsoft 365 services.
- **Customization:** UNC5221 is noted for leveraging unique malicious files for persistence with no crossover between victims, making detection difficult.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
- **Sectors:** Government services, IT organizations, legal services, software-as-a-service (SaaS) providers, business process outsourcers, technology companies, and manufacturing organizations.
- **Geography:** Primarily US organizations; reconnaissance noted against an Asia-Pacific government entity.
- **Victims:** Dozens of organizations in the US; specific entities were not named publicly, though CISA responded to at least one incident involving government services and IT organizations. Targeting SaaS providers and edge device manufacturers suggests aiming for downstream victims.
## Tools & Infrastructure
- **Malware Families Used:** Brickstorm (backdoor), Junction (Go-based implant), GuestConduit (Go-based implant).
- **Infrastructure:**
* Connected to cybersecurity blogs and a Mandarin-language GitHub repository during intrusions.
* Accessed Microsoft 365 (OneDrive, SharePoint, Exchange).
* No specific defanged URLs or IPs were provided in the summary text.
## Implications
This threat actor demonstrates a concerted effort by PRC-backed cyberspies to establish deep, long-term, and resilient access within critical US infrastructure and technology ecosystems. The use of sophisticated, customized malware (Brickstorm, Junction, GuestConduit) spanning multiple operating/virtualization environments (Linux, Windows, VMware) highlights high operational security and a focus on strategic compromise rather than opportunistic attacks. The ability to steal cryptographic keys and maintain access for years suggests objectives related to intelligence gathering, espionage, disruption, and potential sabotage of critical services.
## Mitigations
- Run the open-source scanner published by Mandiant on GitHub to detect the Brickstorm backdoor on appliances.
- Scrutinize hypervisor environments (specifically VMware vCenter servers and ESXi hosts) for evidence of Brickstorm, Junction, or GuestConduit.
- Monitor for unusual activity related to accessing ADFS servers or domain controllers for cryptographic key theft.
- Review M365 logs for session replay attacks or anomalous access to OneDrive/SharePoint via session tokens.
- Review MFA registration activities for newly established devices on user accounts that might indicate persistence gain after initial compromise.