Sophisticated threat group exploits network appliances lacking security tools to steal secrets and potentially develop zero-day exploits
A China-nexus cyber espionage group has been secretly infiltrating US technology companies, legal firms, and SaaS providers for over a year, maintaining persistent access through a stealthy backdoor called BRICKSTORM that targets network appliances where traditional security tools can't detect them.
Google Threat Intelligence Group (GTIG) revealed that the threat actor, tracked as UNC5221, has remained undetected in victim environments for an average of 393 days—over 13 months—by specifically targeting edge devices like firewalls, VPN concentrators, and VMware systems that lack endpoint detection capabilities.
The attackers aren't just after typical corporate secrets. GTIG assesses with "high confidence" that targeting SaaS providers aims to gain access to downstream customer environments and the data these companies host on their clients' behalf. This creates a dangerous supply chain attack scenario where one compromise could affect dozens of organizations.
"The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims," GTIG researchers noted in their analysis published today.
Advanced Evasion Techniques
BRICKSTORM, written in Go for cross-platform compatibility, functions as both a backdoor and SOCKS proxy. The malware demonstrates sophisticated operational security—researchers found no reuse of command-and-control domains across victims, making traditional signature-based detection nearly impossible.
 |
| BRICKSTORM targeting | Image- Google |
The threat actors employ particularly cunning methods, including:
- Exploiting zero-day vulnerabilities for initial access
- Cloning virtual machines containing sensitive data like Active Directory databases without powering them on (avoiding security tool detection)
- Installing memory-only Java servlet filters on VMware vCenter servers to steal login credentials
- Using legitimate administrator credentials stolen from password vaults and PowerShell scripts
Unprecedented Persistence Methods
In one case, attackers deployed a BRICKSTORM variant with a built-in "delay" timer that waited months before beginning to communicate with its command server—demonstrating long-term planning and patience typical of state-sponsored operations.
The group also actively monitored victim response efforts, deploying new backdoors on internal systems even after organizations began incident response investigations.
Mandiant has released a free scanning tool on GitHub to help organizations detect BRICKSTORM infections on Linux and BSD-based appliances. The company strongly recommends organizations:
- Create comprehensive inventories of network appliances and edge devices
- Monitor unusual internet traffic from appliance management interfaces
- Implement strict access controls preventing appliances from accessing internal networks
- Enable centralized logging for VMware environments
- Enforce multi-factor authentication for all administrative interfaces
"A TTP-based hunting approach is not only an ideal practice, but a necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses," Mandiant researchers emphasized.
The discovery underscores the critical need for organizations to expand their security focus beyond traditional endpoints to include often-overlooked network infrastructure that has become a prime target for sophisticated nation-state actors.