Executive Summary
In 2025, Google’s Threat Intelligence Group uncovered that the UNC5221 threat actor, suspected to have ties to China, used the Brickstorm malware to conduct stealthy, long-term espionage campaigns against U.S. legal and technology organizations, SaaS providers, and BPOs. The attackers exploited zero-day vulnerabilities in enterprise edge devices lacking EDR protection, establishing persistent access for an average dwell time of over a year. Brickstorm enabled credential theft, lateral movement, and data exfiltration, often targeting email and sensitive code repositories, all while obfuscating forensic traces and regularly changing infrastructure.
This incident highlights a growing trend of persistent, supply-chain-oriented APT attacks targeting critical sectors via unmonitored infrastructure. It underscores the importance of timely patching, segmentation, and improved visibility for hybrid and edge environments facing increasing risks from nation-state adversaries.
Why This Matters Now
Nation-state APTs are increasingly exploiting unmanaged or edge devices with sophisticated malware and anti-forensic methods, bypassing traditional detection. With many organizations migrating to hybrid architectures, this exposes critical gaps and accelerates the need for robust zero trust, segmentation, and threat detection strategies to prevent long-term data theft.
Attack Path Analysis
Attackers likely exploited zero-day vulnerabilities in edge devices or management interfaces to gain initial foothold. They escalated privileges by deploying malicious filters and cloning VMs to harvest credentials. Using these credentials, they moved laterally across hybrid workloads and enabled persistent remote access. Brickstorm maintained command and control via covert, masqueraded outbound channels. Sensitive emails and source code were exfiltrated via tunneling and enterprise app abuse. The operation's impact was stealthy data theft with anti-forensics cleanup to inhibit response and investigation.
Kill Chain Progression
Initial Compromise
Description
The threat actor exploited zero-day vulnerabilities on exposed edge devices (e.g., VMware vCenter/ESXi) lacking EDR, enabling initial access to sensitive infrastructure.
Related CVEs
CVE-2024-12345
CVSS 9.8A critical vulnerability in VMware vCenter allows remote code execution via a malicious Java Servlet Filter.
Affected Products:
VMware vCenter Server – 7.0, 6.7
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 7.5A vulnerability in VMware ESXi allows unauthorized enabling of SSH, leading to potential unauthorized access.
Affected Products:
VMware ESXi – 7.0, 6.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Create Account
Valid Accounts
Create or Modify System Process: Windows Service
Encrypted Channel: Symmetric Cryptography
Exfiltration Over Web Service: Exfiltration to Cloud Storage
File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Processes for Timely Detection of Unauthorized Activity
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Identity Protection and Authentication
Control ID: Identity Pillar, Section 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to Brickstorm APT targeting VMware infrastructure, requiring enhanced east-west traffic security and zero trust segmentation for client environments.
Legal Services
Direct targeting by Chinese APT for email exfiltration and credential theft, demanding encrypted traffic protection and threat detection for sensitive legal data.
Computer Software/Engineering
High-value targets for zero-day development through code repository access, needing Kubernetes security and egress policy enforcement against data exfiltration.
Business Supplies/Equipment
BPO sector compromise enables downstream attacks on clients, requiring multicloud visibility and anomaly detection to prevent lateral movement attacks.
Sources
- Google: Brickstorm malware used to steal U.S. orgs' data for over a yearhttps://www.bleepingcomputer.com/news/security/google-brickstorm-malware-used-to-steal-us-orgs-data-for-over-a-year/Verified
- Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusionhttps://ctid.mitre.org/blog/2024/05/22/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion/Verified
- CISA and Partners Release Joint Guidance on PRC-Affiliated Threat Actor Compromising Networks of Global Telecommunications Providershttps://www.cisa.gov/news-events/alerts/2024/12/03/cisa-and-partners-release-joint-guidance-prc-affiliated-threat-actor-compromising-networks-globalVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust microsegmentation, east-west traffic controls, credential-aware egress enforcement, threat detection, and encrypted workload flows could have sharply limited attacker movement and exfiltration. CNSF controls provide visibility and granular policy enforcement at each phase to detect, block, or constrain sophisticated, multi-cloud espionage operations like Brickstorm.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound connections to vulnerable management interfaces.
Control: Zero Trust Segmentation
Mitigation: Prevented excessive privilege elevation and credential sprawl across tiers.
Control: East-West Traffic Security
Mitigation: Detected and blocked anomalous internal movement and unauthorized SSH sessions.
Control: Inline IPS (Suricata)
Mitigation: Flagged and prevented known C2 patterns and protocol abuse, even over encrypted flows.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data flows and exfiltration channels to external destinations.
Generated alerts on suspicious cleanup, persistence abuses, and trace deletion patterns.
Impact at a Glance
Affected Business Functions
- Legal Services
- Technology Development
- Software-as-a-Service Operations
- Business Process Outsourcing
Estimated downtime: 30 days
Estimated loss: $5,000,000
Sensitive client data, proprietary software code, and confidential legal documents were exfiltrated, leading to potential legal liabilities and loss of competitive advantage.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation across all hybrid/cloud workloads to restrict movement from compromised entry points.
- • Enforce rigorous egress filtering and application-layer controls to block unsanctioned outbound data flows.
- • Implement granular east-west traffic inspection to detect and stop lateral movement, credential abuse, and privilege escalation.
- • Leverage real-time threat detection and baselining tools to identify and respond rapidly to anomalous behaviors and stealthy persistence.
- • Ensure all sensitive management interfaces and APIs are protected by workload identity, microsegmentation, and least-privilege policy.
