Alleged Chinese Hackers Using BRICKSTORM Malware Have Been Dwelling in Public Sector & IT Companies for Years Unobserved

CISA, the NSA and the Canadian Centre for Cyber Security are warning of yet another highly advanced, state-sponsored group of Chinese hackers that have been evading detection for years and have an average victim dwell time of 393 days. The group is thought to be a new one, separate from the similar “Typhoon” groups already found to be doing this sort of work, and deploys BRICKSTORM malware as a signature.

The most troubling aspect of this new warning is that BRICKSTORM was only first publicly documented a little over a year ago, yet CISA and the other agencies believe this group has been active since at least 2022 effectively without being detected prior to that point. During this time it has primarily targeted US public sector organizations and IT companies as well as Asia Pacific government agencies, and looks to compromise upstream service providers as a means of getting to their downstream clients.

BRICKSTORM malware now one of the world’s leading threats

The other troubling aspect is that there is far from being a good estimate of the number of victims at this point, potentially reflecting how the various “Typhoon” stories gradually developed in severity over the past two years. Google’s previous report on the BRICKSTORM malware only said that “dozens” of organizations in the US were hit at that point, with at least one additional unspecified government agency in the Asia Pacific region. It is difficult to tell because of the sophistication and stealth of the Chinese hackers and the fact that they focus on upstream targets like SaaS and security providers, with an unknown number of downstream clients then compromised in follow-on attacks.

One publicly named victim thus far is one of those security providers. The attack on F5 that was recently disclosed appears to be a BRICKSTORM malware incident, with the Chinese hackers first making landfall in their environment in 2023 and managing to dwell for an extended period. CISA has indicated one other unspecified US company was compromised by the Chinese hackers in April 2024 and did not detect and remove them until recently.

While the malware can be deployed on Windows systems, the Chinese hackers far more frequently target VMware. They also lead by scanning for known vulnerabilities, so it is crucial to keep VMware vSphere servers up to date and potential “weak link” edge devices inventoried and monitored. The group’s prime interest is espionage targets that can provide valuable ongoing intel to the Chinese government, but the group has also been observed looking for inside information about vulnerability research from the security firms it targets. It also heavily targets source code to reverse engineer it and look to develop their own new zero-days to deploy.

Damage caused by advanced Chinese hackers continues to grow

The specific group of Chinese hackers behind the BRICKSTORM malware campaign is a new team being called “Warp Panda” by CrowdStrike. Google Threat Intelligence indicates this team is part of the “UNC5221” cluster that sometimes shares techniques and resources with Silk Typhoon among others, but the group appears to execute its operations independently.

Once it breaches a target network, the group should be expected to move laterally and make its way to command and control rapidly. BRICKSTORM has many advanced obfuscation elements to avoid detection and is highly persistent, reinstalling itself if it is tampered with or removed. The incident demonstrates the need for increased monitoring and visibility into potential threat activity in the hypervisor layer, with the attackers seeing much of their success from skilled deployment of virtual machines. The broader theme is a familiar one: in the age of advanced malware such as this and with AI threats on the horizon, pattern-based detection is rapidly becoming insufficient.