China’s Brickstorm Malware Campaign: The New Face of State-Level US Espionage in 2024
Executive Summary
In 2024, U.S. and Canadian cybersecurity authorities, together with threat analysts from Google and CrowdStrike, disclosed an extensive, ongoing cyber-espionage campaign attributed to China-linked state actors known as Warp Panda and UNC5221. Utilizing the advanced Brickstorm malware, attackers achieved undetected persistence within critical infrastructure and government agency networks for an average of over a year, beginning as early as 2022. Brickstorm, targeting VMware vSphere and Windows environments, enabled stealthy lateral movement, automated reinfection, and the theft of sensitive identity and configuration data. The campaign exploited cloud misconfigurations, edge device vulnerabilities, and under-monitored zones, impacting dozens of U.S. organizations and associated downstream victims.
This incident reflects the continued evolution of state-sponsored Chinese cyber-operations. Its strategic targeting, tradecraft sophistication, and stealth tactics represent persistent threats for both government and private sector organizations managing hybrid or multi-cloud environments.
Why This Matters Now
Brickstorm exemplifies how state-sponsored espionage campaigns exploit security blind spots, including edge devices and cloud platforms. The campaign’s scope and long dwell time highlight systemic detection and response gaps, underscoring the urgency for organizations to strengthen visibility, segmentation, and incident response—especially as geopolitical tensions drive increasingly aggressive nation-state cyber activity.
Attack Path Analysis
The adversaries gained initial foothold by exploiting misconfigurations or vulnerabilities in edge/cloud environments, then escalated their privileges by stealing and leveraging credentials for domain and service provider accounts. Utilizing access to Active Directory and vCenter infrastructures, they moved laterally across multi-cloud and on-prem segments, deploying the Brickstorm backdoor for persistence and further control. Through encrypted and covert channels, C2 was maintained for exfiltrating sensitive data and monitoring victim operations over extended periods. Sensitive data, including identity metadata, documents, and cryptographic material, was systematically exfiltrated. The attackers focused on espionage and persistent access, with no observed destructive actions but established capability for future disruptive impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities or misconfigurations on edge appliances and cloud infrastructure, implanting webshells and gaining foothold in target environments.
Related CVEs
CVE-2023-46805
CVSS 8.2An authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to access restricted resources without proper authentication.
Affected Products:
Ivanti Connect Secure – 9.x, 22.x
Ivanti Policy Secure – 9.x, 22.x
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.1A command injection vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to execute arbitrary commands on the underlying operating system.
Affected Products:
Ivanti Connect Secure – 9.x, 22.x
Ivanti Policy Secure – 9.x, 22.x
Exploit Status:
exploited in the wildCVE-2023-34048
CVSS 9.8An out-of-bounds write vulnerability in VMware vCenter Server allows a malicious actor with network access to execute arbitrary code on the underlying operating system.
Affected Products:
VMware vCenter Server – 7.0, 8.0
Exploit Status:
exploited in the wildCVE-2021-22005
CVSS 9.8An arbitrary file upload vulnerability in VMware vCenter Server allows a malicious actor with network access to execute code on the underlying operating system.
Affected Products:
VMware vCenter Server – 6.5, 6.7, 7.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts
Command and Scripting Interpreter
Create Account
Remote Services
Application Layer Protocol
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Logs
Control ID: 10.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Identity and Access Logging
Control ID: Identity Management - Continuous Monitoring
NIS2 Directive – Incident Detection and Response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical infrastructure targeted by China state-sponsored Brickstorm malware enabling 393-day persistent access, data theft, and potential sabotage capabilities.
Information Technology/IT
VMware vSphere environments compromised through sophisticated backdoors, lateral movement, and cloud misconfiguration exploitation requiring enhanced east-west traffic security.
Legal Services
Specifically targeted by UNC5221/Warp Panda for sensitive document theft and credential harvesting through undetected network infiltration since 2022.
Outsourcing/Offshoring
Business process outsourcers exploited as pivot points for downstream victim access, creating supply chain compromise risks and compliance violations.
Sources
- Officials warn about expansive, ongoing China espionage threat riding on Brickstorm malwarehttps://cyberscoop.com/china-brickstorm-malware-cyber-espionage-campaign-cisa-dhs-alert/Verified
- BRICKSTORM Breaks In: China’s Quiet Grip on US Virtual Stackhttps://hivepro.com/threat-advisory/brickstorm-breaks-in-chinas-quiet-grip-on-us-virtual-stack/Verified
- Security Advisory: BrickStorm Malware Targeting VMware Servershttps://cyber.gov.rw/updates/article/security-advisory-brickstorm-malware-targeting-vmware-servers/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF controls like zero trust segmentation, east-west traffic security, egress policy enforcement, and centralized threat detection would have significantly constricted attacker movement, rapidly surfacing anomalous behaviors, and limiting persistence and data theft within this campaign.
Control: Cloud Firewall (ACF)
Mitigation: Blocks initial unauthorized ingress traffic targeting perimeter vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Prevents lateral privilege escalation by limiting access between identities and critical assets.
Control: East-West Traffic Security
Mitigation: Blocks or alerts on suspicious internal (east-west) lateral movements.
Control: Threat Detection & Anomaly Response
Mitigation: Realtime alerting and disruption of suspicious C2 patterns and covert traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound data flows and detects exfiltration events.
Reduces dwell time and long-term persistence via unified monitoring and rapid response.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
- Legal Services
Estimated downtime: 30 days
Estimated loss: $5,000,000
Potential exposure of sensitive configuration data, identity metadata, documents, and emails related to strategic interests.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and microsegmentation to restrict lateral movement and contain breaches.
- • Enforce comprehensive egress filtering and encrypted traffic monitoring to identify and block data exfiltration.
- • Deploy advanced threat detection, baselining, and real-time anomaly response across multi-cloud and hybrid networks.
- • Harden identity and privilege access management with policy enforcement and least privilege controls.
- • Ensure centralized, continuous visibility and policy management for all cloud and edge assets to rapidly surface persistent threats.
