Chinese state-sponsored cyber actors are using the BRICKSTORM malware to infect U.S. government entities and private companies, gaining long-term access to victim systems, the Cybersecurity & Infrastructure Security Agency (CISA) said in an alert on Dec. 4.
CISA, the National Security Agency (NSA), and the Canadian Cyber Security Centre issued a joint Malware Analysis report detailing the threat posed by the malware.
BRICKSTORM provides hackers with a sophisticated backdoor into systems running Windows and VMware vSphere.
According to the joint report, CISA analyzed eight BRICKSTORM samples obtained from victim organizations.
“All analyzed samples enable cyber actors to maintain stealthy access,” it said.
At one of the organizations, CISA conducted an incident response engagement and found that China-backed hackers had gained access to the entity’s internal networks back in April 2024, maintaining this access until at least Sept. 3 this year.
Once inside victims’ systems, BRICKSTORM establishes a connection to the hacker’s server, “secures communications with the server, and enables cyber actors’ full control over the compromised system.”
When a system is compromised, the cyber actors can use their access to extract sensitive credentials and also create hidden, rogue virtual machines to evade detection, according to the report.
Chinese Hacking Threat
China is a major concern for the United States when it comes to cybersecurity.
In July, Microsoft said it had observed two China-based hacking groups, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities in SharePoint, the company’s collaboration software.
The same month, researchers at Netherlands-based Eye Security said a mass hacking campaign against Microsoft’s SharePoint server software had resulted in cyberattacks against more than 400 victims.
According to the March 2025 Annual Threat Assessment of the U.S. Intelligence Community, China remains the “most active and persistent cyber threat” to the U.S. government, private-sector entities, and critical infrastructure networks.
China’s campaign aimed at prepositioning access to critical American infrastructure for attacks during crises or conflict situations “demonstrates the growing breadth and depth of the PRC’s capabilities to compromise U.S. infrastructure,” it said.
“If Beijing believed that a major conflict with Washington was imminent, it could consider aggressive cyber operations against U.S. critical infrastructure and military assets,” the report said.
“Such strikes would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.”
During a Dec. 2 Senate hearing, Sen. Deb Fischer (R-Neb.) outlined the urgent need to fortify America’s communications networks, citing cyber threats, according to a statement from the Senate Committee on Commerce, Science, and Transportation.
“Threat actors are deploying advanced technology at scale to try to undermine our networks at every juncture. These attacks are increasingly supercharged by artificial intelligence, as well,” she said.
“Congress must coordinate with industry and ensure a robust federal response.”
BRICKSTORM Risks
“BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control,” said the Dec. 4 alert.
“BRICKSTORM also incorporates long-term persistence mechanisms, such as a self-monitoring function that automatically reinstalls or restarts the malware if disrupted, ensuring its continued operation.
“Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors.”
The malware deploys advanced functionalities to carry out its tasks, including multiple layers of encryption and methods to conceal communications, according to CISA.
CISA, NSA, and the Canadian agency advised organizations to use the indicators of compromise and detection signatures provided in the report to identify BRICKSTORM malware samples.
They also recommended that organizations implement certain mitigations to improve their cybersecurity posture against threats posed by Chinese hackers using BRICKSTORM.
This includes ensuring proper network segmentation that restricts network traffic, increasing monitoring for service accounts with high-level privileges, and monitoring for suspicious network connectivity originating from network edge devices.
These mitigation measures align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).
“The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement,” the report said.
CPGs are based on “existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures,” according to the report.
Friends Read Free
Copy
Facebook
Tweet
