The recent discovery of a sophisticated backdoor malware named BRICKSTORM reveals an escalating threat to European industries of strategic importance. This malware, deployed by Chinese state-aligned hackers, targets both Windows and Linux machines, indicating a significant expansion in their capabilities. Previously focused on Linux vCenter servers, the hackers have now broadened their reach to include Windows environments, posing a heightened risk to critical infrastructure within Europe. The association with the China-nexus threat group UNC5221 further highlights the advanced nature of these cyber espionage operations.
The Nature of BRICKSTORM Malware
Long-term Cyber Espionage Campaigns
BRICKSTORM is a testament to the capability and intent behind Chinese cyber operations, specifically crafted for long-term espionage campaigns. Active since the beginning of 2022, this malware distinguishes itself from typical ransomware attacks by focusing on stealth and persistence. Its design allows attackers to remain undetected for extended periods, thereby enabling ongoing covert data collection and system monitoring. By employing sophisticated backdoors with low-noise footprints and exploiting unknown vulnerabilities, BRICKSTORM ensures that its presence goes unnoticed, maintaining a foothold within target systems without triggering alarms. The unauthorized access provided by BRICKSTORM grants attackers the ability to execute file management and network tunneling functions crucial for espionage. These capabilities enable them to browse file systems, create or delete files and directories, and establish network connections to facilitate lateral movement within the compromised environment. Unlike many other forms of malware that create noticeable disruptions, BRICKSTORM’s operations are meticulously crafted to avoid detection, maintaining a consistent and clandestine presence within the target network.
Stealth and Persistence
The Windows iteration of BRICKSTORM, written in Go 1.13.5, utilizes advanced persistence mechanisms such as scheduled tasks to ensure continued operation despite system reboots or user actions. Although it lacks direct command execution features to circumvent detection, it leverages scheduled tasks for execution, significantly increasing its evasiveness. This strategic omission helps it bypass security solutions that scrutinize parent-child process relationships, which are commonly used to detect malicious activities. BRICKSTORM’s command and control infrastructure further exemplifies its sophistication. This multi-layered design employs DNS over HTTPS (DoH) for hidden DNS lookups, securing its communication channels against common network-level security measures. The malware connects with serverless providers over HTTPS before upgrading to WebSockets and establishing nested TLS connections, making it increasingly difficult to differentiate from legitimate network traffic. This complex methodology underscores the need for advanced detection mechanisms capable of identifying such sophisticated infrastructures.
Command and Control Infrastructure
Hidden DNS Lookups and Encrypted Command Delivery
Central to BRICKSTORM’s elusiveness is its command and control (C2) infrastructure, which exemplifies state-of-the-art evasive techniques. Utilizing DNS over HTTPS (DoH), this malware hides its DNS lookups, bypassing typical network-level security measures employed to detect suspicious activities. Following the initial connection, BRICKSTORM communicates with serverless providers over HTTPS. The connection is then upgraded to WebSockets, establishing nested TLS connections for encrypted command delivery. These layers of encryption and legitimate network service usage make it extraordinarily challenging to discern malicious activity from regular traffic, enabling the malware to operate under the radar. Moreover, BRICKSTORM’s use of legitimate cloud services significantly complicates traditional detection methods. By mimicking routine network behaviors, it avoids raising red flags in conventional monitoring systems. This strategic utilization of seemingly benign services for malicious purposes calls for enterprises to adopt more nuanced security strategies. Organizations must balance the necessity of enabling genuine cloud service use with the imperative to detect and neutralize such sophisticated threats. Training security personnel to recognize these advanced evasion techniques is vital in fortifying defenses against the persistent threats posed by BRICKSTORM.
Challenges in Detection
BRICKSTORM’s sophisticated design has been active since at least two years ago, maintaining consistent authentication keys despite changing infrastructure. This continuity suggests a high level of operational discipline and resource allocation, emphasizing the serious nature of the threat. The malware’s elaborate, multi-layered encryption techniques further complicate detection efforts, demanding equally sophisticated countermeasures. Traditional network monitoring tools are often ill-equipped to handle such complexities, necessitating advanced analytic solutions capable of dissecting nested TLS sessions and identifying anomalies within legitimate traffic patterns.
Organizations are advised to employ a multi-faceted approach to detect and mitigate BRICKSTORM’s impact. Blocking DoH providers on networks, monitoring for unusual long-running processes, and implementing TLS inspection to detect nested TLS sessions are critical steps. By scrutinizing traffic for extended durations and unusual patterns, security teams can better isolate and identify malicious activities. Additionally, fostering a culture of continuous learning and adaptation within the cybersecurity field is essential, as threat actors constantly evolve their tactics to stay ahead of detection technologies.
Implications and Future Considerations
Strategic Implications for Europe
The activities of BRICKSTORM underscore the significant strategic implications for Europe, particularly in terms of economic and security interests. By targeting industries of strategic importance, Chinese state-aligned hackers aim to gain long-term access to critical information and infrastructure. Such cyber operations not only threaten the immediate security of targeted organizations but also pose broader risks to national security and economic stability. The elaborate nature of BRICKSTORM’s design and execution suggests a well-resourced and clearly defined political strategy. This strategy aligns with China’s broader objectives of economic strengthening and technological dominance. The persistent and covert nature of these cyber espionage campaigns requires European countries to continually invest in cybersecurity enhancements and collaborative efforts to combat such advanced threats. A unified approach involving governmental agencies, private sector entities, and international partners is crucial in developing a robust defense and response strategy against these sophisticated cyber threats.
Strengthening Cybersecurity Measures
To mitigate the risks posed by BRICKSTORM, European industries must adopt comprehensive, proactive cybersecurity measures. These include regular assessments of network security policies, employee training programs to recognize phishing and other social engineering tactics, and incident response plans to quickly address potential breaches. Enhancing collaborative efforts with cybersecurity experts and leveraging threat intelligence sharing can also play a pivotal role in identifying and neutralizing persistent threats like BRICKSTORM.
Furthermore, investing in advanced cybersecurity technologies such as behavioral analytics and machine learning can aid in identifying subtle anomalies indicative of malware activity. Building robust security infrastructures capable of adapting to evolving threats is essential. Organizations must also prioritize the implementation of zero-trust architectures, ensuring that every access request is strictly verified regardless of its origin. Combining these measures can significantly bolster defenses against sophisticated cyber threats, safeguarding critical infrastructure and maintaining the integrity of strategic industries in Europe.
Evolving Threat Landscape
The discovery of advanced backdoor malware named BRICKSTORM has raised alarms in European industries of strategic importance. This malware is deployed by Chinese state-aligned hackers and is designed to target both Windows and Linux machines, which marks a significant advancement in their hacking capabilities. Historically, these cyber attackers focused on Linux vCenter servers. However, their recent expansion to include Windows environments signals an elevated threat level to critical infrastructure across Europe. The cyber espionage group UNC5221, associated with China, is linked to these operations, underscoring the complexity and sophistication of their techniques. This development stresses the urgent need for robust cybersecurity measures. The malware’s ability to penetrate multiple operating systems increases the potential for extensive damage, further emphasizing the criticality of heightened security protocols within industries of strategic value in Europe. By understanding the nature of BRICKSTORM and the tactics used by UNC5221, European organizations can better prepare to defend against these growing cyber threats.