AI Autopsy: Shining a Light on the Brickstorm Backdoor

Danny Palmer explores the latest ways China is trying to get its hands on Western IP

A stealthy hacking operation is installing persistent, long-term backdoors into the networks of technology companies, software-as-a-service (SaaS) providers and legal firms, in a campaign which aims to uncover security vulnerabilities in widely used enterprise software.

As detailed by Google Cloud’s Mandiant Incident Response, the Brickstorm backdoor has been exploited by suspected Chinese state-backed hackers since at least 2024.

What’s notable is how the attacks maintain long-term persistence in target networks without detection. According to Mandiant, the backdoor allows the campaigns to remain undetected in victim environments for an average of 393 days while the attackers go about their work. That’s a long time, especially when the average dwell time for a cyber attack stands at just 11 days.

“They really take their time to understand the environment they are in, how it can further their goals, and how to best remain implanted without detection,” says Google Threat Intelligence Group (GTIG) security engineering manager, Doug Bienstock.

This extended dwell time is exploited for data theft. But it’s more than just usernames and passwords: the Brickstorm attackers are looking for proprietary source code and intellectual property related to commonly used enterprise software. “We believe the threat actors are analysing the stolen source code to find flaws and zero-day vulnerabilities to exploit in enterprise technology products,” Bienstock tells Assured Intelligence.

Initial access

The initial entry point of the attacks has been difficult to establish. Still, in at least one case, it was achieved by exploiting a zero-day vulnerability in Ivanti Connect Secure VPN appliances. Researchers also note that UNC5221, a threat group closely linked to Brickstorm, has a history of targeting VMware vCenter and ESXi hosts.

By deploying backdoors on these edge appliances – which are commonly not monitored by regular endpoint detection and response (EDR) tools – the attackers are secretly establishing a foothold in target networks. They even go so far as to disguise this activity as legitimate, helping the foothold remain undetected for an extended period.

Maintaining persistence

From here, the attackers use their access to move laterally around networks, stealing data as they go. They exploit techniques and appliances which generate little to no security telemetry – often because they’re not inventoried or monitored by security teams – enabling the threat actors to remain undetected.

“It’s not fair for any one company to have to go up against a nation state” Emily Harding

In several cases observed by Mandiant, the adversary moved around the network using valid usernames and passwords, suggesting that they’d successfully stolen the credentials by deploying malware elsewhere on the network.

Ultimately, all of this allows the attackers to establish persistence – often for over a year – and provides them with access to email accounts and sensitive data belonging to targets who Bienstock describes as “key individuals of strategic interest”. This includes developers and system administrators: individuals who could have access to source code and sensitive files.

Chinese government-linked cyber espionage against Western organisations isn’t new. Hacking campaigns attributed to PRC-backed operations go back to 2002. But the stealthy persistence of Brickstorm potentially brings new challenges for security teams and CISOs.

“The dwell time for this particular threat actor is significant,” says Amy Mushahwar, chair of data, privacy & cybersecurity and partner at Lowenstein Sandler LLP. “They have more time to know your infrastructure, to poke holes in your information stores, grab unstructured data and move laterally throughout your enterprise.”

It boils down to industrial espionage

While the Brickstorm attacks are complex, the motivation behind them is simple: stealing sensitive data and intellectual property. And by targeting technology companies and law firms, the attackers are going after organisations which are likely to be dealing with confidential information that’s yet to be made public.

“Chinese threat actors understand that professional services and law firms in particular have data that’s not publicly announced,” Mushahwar tells Assured Intelligence. “That could be mergers and acquisitions that haven’t been made public or regulatory investigations that are not public.”

Gathering information like this aligns with the Chinese Communist Party’s plans to make the country a technological and economic superpower – one on which other countries are reliant.

“The dwell time for this particular threat actor is significant” Amy Mushahwar

While Chinese technology and defence companies have used their own vast research and development resources to develop their own software, hardware, military capabilities, and more, getting hold of IP and patents which are already proven to work can speed up R&D. Beijing is more than willing to use espionage to achieve its economic and geopolitical goals.

“China tends to view conflict as a spectrum. It’s not ‘we’re at war or not at war’, it’s ‘we’re constantly in a struggle and we’re going to use every tool we have’ in that struggle,” says Emily Harding, VP of the Defence and Security Department at think tank the Centre for Strategic and International Studies (CSIS). “And what we see is the Chinese government directing operations.”

How to secure networks against Brickstorm attacks

Asking businesses to defend themselves against the might of a nation-state is a big ask. This is why Harding suggests that Western governments must help by working with organisations being targeted by China.

“It’s not fair for any one company to have to go up against a nation state, so there needs to be better protections,” she tells Assured Intelligence. “The straightforward answer is that cyber is everybody’s job.”

“They really take their time to understand the environment they are in” Doug Bienstock

However, she also points out that software companies should be doing more to ensure their products are shipped securely, rather than rushing them out. “You don’t get in an elevator that hasn’t been inspected by 15 people, but we put software out into the world that’s barely had a security check and expect to work,” she explains, adding “Secure by Design is the way to go.”

But that isn’t to say there’s nothing organisations can do to help bolster their defences against Brickstorm and other covert cyber campaigns. For Lowenstein Sandler’s Mushahwar, there’s one key thing that CISOs should ensure is applied throughout their organisation: multi-factor authentication.

It should be applied to any enterprise accounts that require authentication to access, such as email and databases exploited by the Brickstorm attackers, she argues. “Make sure those are inventoried – because maybe some of them don’t yet require authentication at all.”

Businesses, especially those in those sectors being targeted by Brickstorm, often pride themselves on ensuring transactions and processes move quickly. This means that business leaders can be reluctant to slow processes down with additional security controls. But the cost of slight delays because of security is far less damaging than the cost of a cyber attack.

“Given the data that these companies hold, they’re very much a target. They need to understand security controls are absolutely paramount in addition to getting business done,” concludes Mushahwar. “Even though it’s a bit of a pain for the user to have a bit more user friction, the pain is well worth not suffering a data breach.”