Longstanding and highly elusive cyber intrusions have come to light as U.S. organizations grapple with the aftermath of a sophisticated espionage campaign, with some breaches evading detection for over a year. Recent research by Mandiant and the Google Threat Intelligence Group (GTIG) has revealed a persistent threat labeled “Brickstorm,” a toolset employed by suspected Chinese hackers aiming to gain access to sensitive intellectual property, confidential trade data, and national security intelligence. While the campaign has just gained public attention, many organizations remain unaware that their systems may still harbor traces of this advanced activity.
Earlier discussions around Chinese-linked cyber threat groups have focused on operations with shorter dwell times and more overt tactics, such as those exploiting well-known vulnerabilities or targeting prominent governmental bodies. The newly uncovered Brickstorm campaign distinguishes itself by its lengthy lateral infiltration, stealthy tactics, and strong focus on technology and legal service providers — often using these as gateways to compromise wider customer bases. Past reports gave limited insight into the attackers’ operational discipline and cleanup strategies, which are now identified as key hurdles for detection and attribution in this threat scenario.
How Did Brickstorm Evade Detection for So Long?
According to Mandiant and GTIG researchers, Brickstorm’s ability to remain undetected stems from its use of zero-day vulnerabilities and targets that lack strong endpoint detection, such as VMware vCenter and ESXi environments. The campaign reportedly shows a striking average dwell time of about 400 days. Targets primarily include legal and security-focused tech firms, but compromised organizations sometimes act as springboards for infiltration of their own customers’ systems. Investigators stress the challenge of tracing the malware, as indicators such as IP addresses and file signatures frequently differ across incidents.
What Is the Scope of the Affected Organizations?
While researchers stopped short of confirming which specific entities have been affected, they noted that many victim organizations — potentially numbering in the dozens or more — have not yet discovered intrusions on their networks. The hackers’ focus on both direct and downstream access means sensitive data from a wide array of secondary victims could have been compromised. Security experts refrain from linking the group directly to Chinese government agencies but have pointed out similarities to groups UNC5221 and Silk Typhoon, both of which are believed to operate at the behest of Chinese interests.
What Tools Are Available for Detection and Response?
In response to the campaign, Google and Mandiant have released a scanner script designed to help organizations detect possible Brickstorm infections on Unix-based systems. This detection tool works independently of traditional malware identification software and has been shared publicly. Acknowledging the urgency, Charles Carmakal, Chief Technology Officer at Mandiant Consulting, emphasized,
“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments.”
He also cautioned,
“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations.”
Current findings underline the evolving sophistication of long-term cyber-espionage operations and the difficulties in tracing attackers who leverage both technical stealth and comprehensive cleanup methods. Organizations in the tech, legal, and security sectors are called upon to revisit their cyber defense practices, including proactive analysis for hidden threats and improved detection of subtle anomalies in systems lacking endpoint security. Notably, campaigns such as Brickstorm illustrate the growing threat posed by prolonged, silent breaches where intellectual property theft and espionage serve broader strategic goals. Proactive detection measures, along with industry cooperation and sharing of threat intelligence, are essential steps for organizations seeking to mitigate the risk of such sustained campaigns.
