Article Details

PRC spies Brickstromed their way into critical US networks and remained hidden for years. 'Dozens' of US orgs infected. Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms. PRC-backed goons infected at least eight government services and IT organizations with Brickstorm backdoors, according to a joint security alert from the US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, and the Canadian Cyber Security Centre. However, "it's a logical conclusion to assume that there are additional victims out there until we have not yet had the opportunity to communicate with," CISA's Nick Andersen, executive assistant director for cybersecurity, told reporters on Thursday, describing Brickstorm as a "terribly sophisticated piece of malware."  The backdoor works across Linux, VMware, and Windows environments, and while Andersen declined to attribute the malware infections to a specific People's Republic of China cyber group, he said it illustrates the threat PRC crews pose to US critical infrastructure. "State-sponsored actors are not just infiltrating networks," Andersen said. "They're embedding themselves to enable long term access, disruption, and potential sabotage." In one incident that CISA responded to, the PRC goons gained access to the organization's internal network in April 2024, uploaded Brickstorm to an internal VMware vCenter server, and used the backdoor for persistent access until at least September 3. While in the victim's network, the crew also gained access to two domain controllers and an Active Directory Federation Services server, which they used to steal cryptographic keys.  Dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims Google Threat Intelligence, which first sounded the alarm on Brickstorm in a September report, "strongly" recommended organizations run the open-source scanner that Google-owned Mandiant published on GitHub to help detect the backdoor on their appliances. "We believe dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims," Google Threat Intelligence Group principal analyst Austin Larsen told The Register. "These actors are still actively targeting US organizations and are evolving Brickstorm and their techniques after our September report." Google's Mandiant incident response team has been dealing with these intrusions since March, and in its earlier report, attributed them to UNC5221, a suspected Chinese group.  "Mandiant has responded to intrusions across several industry verticals, particularly legal services, software-as-a-service providers, business process outsourcers, and technology companies," Larsen said. "The targeting of SaaS providers and edge device manufacturers specifically serves as a method to gain access to downstream targets." In a separate report published Thursday, CrowdStrike attributed the backdoor to a new China-nexus gang it calls Warp Panda, active since at least 2022, and said it has identified "multiple" intrusions targeting VMware environments at US-based legal, technology, and manufacturing organizations. The suspected Chinese spy crew used one of these compromised networks to perform "rudimentary reconnaissance" activities against an Asia-Pacific government entity, and they also connected to cybersecurity blogs and a Mandarin-language GitHub repository. "During at least one intrusion, the adversary specifically accessed email accounts of employees who work on topics that align with Chinese government interests," the researchers wrote. A spokesperson declined to say how many of these break-ins the security shop observed. Crowdstrike described a method similar to those detailed by Google and CISA, saying that Warp Panda typically gains access to victims' networks by exploiting internet-facing edge devices and then pivots to vCenter environments, using valid credentials or exploiting vulnerabilities.  In one instance detailed in the report, Warp Panda gained initial access to the compromised network in late 2023, and in addition to dropping Brickstorm on VMware vCenter servers, the crew also deployed two previously unobserved Go-based implants called Junction and GuestConduit on ESXi hosts and guest VMs, respectively. On "numerous occasions," the spies collected and prepared sensitive data for exfiltration. Warp Panda also broke into "multiple" organizations' Microsoft Azure environments in late summer, primarily to access Microsoft 365 data stored in OneDrive, SharePoint, and Exchange, according to Crowdstrike.  In one instance, the spies obtained user session tokens and tunneled traffic through Brickstorm implants to access Microsoft 365 services via session replay. "The adversary further accessed and downloaded sensitive SharePoint files related to an entity's network engineering and incident response teams," the threat hunters wrote. Additionally, in at least one case, the network intruders established persistence by registering a new multifactor authentication (MFA) device via an authenticator app code after initially logging into a user account. Palo Alto Networks' Unit 42 consultants and incident responders are also monitoring this backdoor and its operators, Pete Renals, director of national security programs at Palo Alto Networks' Unit 42 told The Register. "Unit 42 remains concerned by the extended dwell time and persistent access these actors maintain within Information Technology and Government networks, which obscure the full scope of their activities and the potential damage caused," Renals said. "In addition to Brickstorm, UNC5221 continues to leverage unique malicious files for persistence, planting custom backdoors within the network with no crossover from victim to victim, making detection exceptionally difficult."