Let me introduce Dominic Jainy, a seasoned IT professional with deep expertise in cybersecurity, artificial intelligence, machine learning, and blockchain. With a career dedicated to dissecting complex cyber threats and exploring cutting-edge technologies, Dominic has become a trusted voice in understanding how advanced persistent threat (APT) groups operate. Today, we’re diving into a pressing issue: the use of the ‘BRICKSTORM’ backdoor by Chinese hackers targeting US firms. Our conversation will explore the mechanics of this sophisticated threat, the actors behind it, their methods of infiltration, and the broader implications for organizations across various sectors.
Can you give us an overview of what the ‘BRICKSTORM’ backdoor is and why it poses such a significant threat to US companies?
Sure, ‘BRICKSTORM’ is a malicious piece of software, essentially a backdoor, that allows attackers to sneak into and maintain access to a compromised system. It’s written in the Go programming language and primarily targets VMware vCenter servers, which are critical for managing virtual environments in many organizations. What makes it a big deal for US companies is its ability to stay hidden while giving hackers a foothold to spy, steal data, or even pivot to other systems. It’s not just a one-and-done attack; it’s a gateway for long-term intrusion, often going undetected for months, which can lead to devastating breaches of sensitive information.
How do these attackers initially get into systems to deploy ‘BRICKSTORM’, and what makes their entry so hard to detect?
The attackers often start by exploiting zero-day vulnerabilities—flaws in software that even the vendor doesn’t know about yet. These are particularly dangerous because there’s no patch available at the time of the attack. They target network appliances or systems that don’t typically have robust endpoint detection tools, making their entry harder to spot. By focusing on these less-protected entry points, they can quietly establish a presence before moving deeper into the network, often using stolen credentials to blend in with legitimate traffic.
Which industries or types of organizations in the US seem to be the primary targets for these ‘BRICKSTORM’ campaigns?
From what we’ve seen, the primary targets are US legal and tech firms, as well as software-as-a-service providers and outsourcing companies. These sectors are likely chosen because they hold valuable intellectual property, sensitive client data, or serve as gateways to other organizations. For instance, breaching a SaaS provider could give attackers access to a whole network of downstream clients, amplifying the impact of a single intrusion.
What can you tell us about the group behind these attacks and their suspected motivations?
The group linked to these ‘BRICKSTORM’ campaigns is known as UNC5221, a Chinese-aligned threat cluster. They’re known for their sophisticated tactics, including exploiting zero-day vulnerabilities and targeting critical infrastructure like network appliances. Their motivations seem to go beyond traditional espionage. While stealing data, especially emails from key individuals, is a big part of their operation, there’s also evidence they’re gathering information to develop new hacking tools or zero-days. Essentially, they’re not just after secrets—they’re building an arsenal for future attacks.
Can you explain how ‘BRICKSTORM’ helps these hackers maintain access to a system over long periods?
Absolutely. Once ‘BRICKSTORM’ is deployed, it’s designed for persistence. It modifies system files—think init.d or systemd configurations—to ensure it restarts even if the device reboots. It also has self-monitoring features, like a function called Watcher, which keeps an eye on its own processes and reinstates itself if something goes wrong. This makes it incredibly tough to remove without a deep forensic investigation. Plus, it communicates with its command-and-control server using WebSockets, a method that can look like normal web traffic, further hiding its tracks.
What challenges do researchers face when investigating threats like ‘BRICKSTORM’, especially given the long dwell time?
One of the biggest hurdles is the dwell time—on average, 393 days. That’s over a year that attackers are inside a system before detection. By the time investigators catch on, critical logs or evidence of the initial breach are often gone because they exceed typical retention periods. On top of that, the attackers move fast to deploy their full attack chain, leaving little time to catch them in the act. This combination of speed and long-term stealth makes it a nightmare to piece together how they got in and what they’ve done.
How do these hackers use ‘BRICKSTORM’ to move around inside a network once they’ve gained access?
After getting in, they use a variety of tricks to move laterally. They often harvest credentials from compromised systems, sometimes bypassing multi-factor authentication or cloning virtual machines of critical servers to gain deeper access. They reuse these stolen credentials to hop from one system to another, often targeting tools like Delinea Secret Server to grab even more sensitive data. Their goal is to blend in with normal activity, making it hard for security tools to flag anything unusual as they spread through the network.
What do you think is the broader impact of these kinds of attacks on how companies approach cybersecurity?
These attacks are a wake-up call. They show that traditional security tools, like endpoint detection and response, aren’t enough when attackers target less-protected systems like network appliances. Companies need to rethink their defenses—focusing on visibility across all devices, not just workstations, and investing in better log retention and monitoring to catch long-term intrusions. It’s also pushing the need for faster patch management and a deeper understanding of zero-day risks. Ultimately, it’s about building resilience, assuming a breach will happen, and minimizing the damage.
Looking ahead, what is your forecast for the evolution of threats like ‘BRICKSTORM’ in the coming years?
I expect these threats to become even more sophisticated. As defenders get better at detecting known tactics, attackers will lean harder into zero-days and custom malware tailored to specific targets. We’ll likely see more focus on hybrid environments—blending cloud and on-premises systems—as companies continue to migrate to the cloud. Attackers will also probably refine their stealth techniques, using AI or machine learning to mimic legitimate behavior even more convincingly. It’s going to be a constant cat-and-mouse game, and organizations will need to stay proactive, not just reactive, to keep up.