Full Report
'Dozens' of US orgs infected Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms.…
Analysis Summary
# Threat Actor: Warp Panda (Suspected Chinese Cyber Group)
## Attribution & Identity
Attributed to People's Republic of China (PRC) state-sponsored actors.
Known aliases include:
* **Warp Panda** (Designation by CrowdStrike, active since at least 2022)
* **UNC5221** (Mentioned by Palo Alto Networks Unit 42 in relation to using unique malicious files for persistence, though this attribution is linked contextually to the overall activity pattern).
* A suspected Chinese group that Google/Mandiant attributed earlier intrusions to.
## Activity Summary
The threat actors have conducted long-term intrusions, sometimes lasting years, against "dozens" of organizations in the US. The primary reported activity involves infecting critical networks with the **Brickstorm** backdoor, enabling persistent access for data theft and potential sabotage.
Initial access often targets edge devices or specific infrastructure components, allowing pivots into core network infrastructure like VMware vCenter, domain controllers, and Azure environments. Activities span from at least March/April 2024 (CISA incident) up to September 2025 (when the CISA alert was issued), with Warp Panda active since 2022.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting internet-facing edge devices and pivoting to VMware vCenter environments, often using valid credentials or exploiting vulnerabilities.
- **Persistence & Backdoors:** Deploying the Brickstorm backdoor primarily on VMware vCenter servers. Also utilized previously unobserved Go-based implants: **Junction** (on ESXi hosts) and **GuestConduit** (on guest VMs). UNC5221 reportedly uses unique custom backdoors for persistence across victims.
- **Lateral Movement & Privilege Escalation:** Gaining access to domain controllers and Active Directory Federation Services (AD FS) servers to steal cryptographic keys.
- **Cloud Compromise:** Breaking into Microsoft Azure environments to access Microsoft 365 data (OneDrive, SharePoint, Exchange).
- **Data Exfiltration Preparation:** Collecting and preparing sensitive data for exfiltration, including downloading sensitive SharePoint files related to network engineering and incident response.
- **Credential & Session Theft:** Obtaining user session tokens and performing session replay to access Microsoft 365 services via Brickstorm implants.
- **Advanced Persistence:** Establishing persistence by registering a new Multi-Factor Authentication (MFA) device via an authenticator app code after initial user account login.
- **Reconnaissance:** Performing rudimentary reconnaissance against an Asia-Pacific government entity discovered via a compromised network.
## Targeting
- **Sectors:** Government services, IT organizations, legal services, software-as-a-service (SaaS) providers, business process outsourcers, technology companies, and manufacturing organizations.
- **Geography:** Primarily US organizations. Also conducted reconnaissance against an Asia-Pacific government entity.
- **Victims:** "Dozens" of US organizations impacted. Specific impact noted on organizations utilizing VMware environments. Targeting of SaaS providers and edge device manufacturers suggests a supply chain vector impacting downstream customers.
## Tools & Infrastructure
- **Malware Families Used:**
- **Brickstorm** (Backdoor, reportedly sophisticated, works across Linux, VMware, and Windows).
- **Junction** (Previously unobserved Go-based implant for ESXi hosts).
- **GuestConduit** (Previously unobserved Go-based implant for guest VMs).
- **Infrastructure (Inferred):** Connected to cybersecurity blogs and a Mandarin-language GitHub repository during intrusions.
## Implications
The actors demonstrate extreme dedication to maintaining long-term, persistent access within critical US networks, illustrating a high-level threat focused on espionage, disruption, and potential sabotage rather than simple financial gain. The use of platform-specific malware (targeting VMware/ESXi) and advanced techniques like MFA device hijacking make detection exceptionally difficult and increase the dwell time significantly. The supply chain targeting through SaaS providers expands their impact footprint.
## Mitigations
- Run the open-source **Brickstorm scanner** published by Mandiant on GitHub to detect the backdoor on appliances.
- Focus monitoring and defense efforts on **VMware vCenter**, Active Directory Federation Services (AD FS), and ESXi hosts.
- Investigate for compromised Microsoft 365/Azure environments, specifically reviewing SharePoint and OneDrive access logs, and checking for newly registered MFA devices on user accounts.
- Enhance detection for persistence mechanisms involving custom backdoors and session replay activities.