Organizations need to be aware: a sophisticated Chinese-linked hacking campaign could linger in their networks for at least the next two years. This warning comes straight from Google, emphasizing the urgency of addressing these threats.
Recently, Google’s Threat Intelligence Group unveiled its ongoing investigation into a backdoor malware named BRICKSTORM. This troublesome software has enabled hackers to maintain access to U.S. organizations for an alarming average of 393 days. Google’s cybersecurity consulting arm, Mandiant, has been actively responding to these incidents since March 2025.
Targeted Industries Under Threat
The BRICKSTORM attacks are striking diverse sectors, with an alarming focus on:
- Legal services
- Software-as-a-Service (SaaS) providers
- Business Process Outsourcing (BPOs)
- Technology companies
Google’s investigations reveal that legal groups face targeting for sensitive information related to U.S. national security and international trade. SaaS providers are exploited as entry points to access customer data, while tech companies are prized for their intellectual property, including source code. This can expose further security vulnerabilities.
Understanding Zero-Day Vulnerabilities
The report elaborates on the significance of these attacks: “The value of these targets extends beyond typical espionage missions…” In cybersecurity, a zero-day vulnerability refers to an unknown security flaw that developers haven’t yet addressed, leaving an open window for exploitation.
The Face Behind the Threat: UNC5221
This cyber threat is primarily traced back to a group identified as UNC5221, along with other closely related clusters from China. Their stealthy tactics are particularly worrying.
Why Are Hackers So Successful?
These hackers remain hidden for long durations by deploying BRICKSTORM on systems unable to support traditional Endpoint Detection and Response (EDR) or antivirus software typically found on devices like computers or smartphones. Instead, they infiltrate network appliances such as:
- Routers
- Firewalls
- Email security gateways
- Virtual machine managers and hosts
In particular, UNC5221 regularly targets VMware vCenter and ESXi hosts, making their attacks even more insidious.
How Can Organizations Protect Themselves?
Mandiant has stepped forward by releasing a free scanner designed to detect BRICKSTORM activity. This tool identifies suspicious activity by searching for unique strings and hex patterns associated with the malware.
Charles Carmakal, Mandiant Consulting’s Chief Technology Officer, indicated that companies can expect to hear about this persistent cyber threat for the foreseeable future. As businesses begin to scan their systems, he believes more vulnerabilities will surface, raising awareness about this ongoing threat.
As new details unfold and more companies acknowledge their breaches, it’s essential for organizations to remain vigilant and proactive.
What is BRICKSTORM malware and how does it infect networks? BRICKSTORM malware is a type of backdoor software that allows hackers to maintain long-term access to compromised systems. It typically infects environments that don’t have robust antivirus solutions.
How are legal services particularly targeted by hackers? Legal organizations are prime targets for hackers due to the sensitive national security and trade information they handle, making them a valuable source of data for cyberespionage.
What steps can businesses take to enhance their cybersecurity? Companies should implement comprehensive security protocols, including regular system scans, continuous monitoring for unusual activities, and utilizing specialized detection tools like Mandiant’s scanner.
Could the BRICKSTORM hacks lead to zero-day vulnerabilities? Yes, the exploitation of BRICKSTORM could potentially uncover zero-day vulnerabilities, as hackers can gather data to aid in the development of further attacks on other systems.
In a rapidly evolving cyber landscape, staying informed and prepared is crucial. Identify and mitigate threats before they escalate. For more insightful content on cybersecurity, explore resources at Moyens I/O.