Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms.
PRC-backed goons infected at least eight government services and IT organizations with Brickstorm backdoors, according to a joint security alert from the US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, and the Canadian Cyber Security Centre.
However, “it’s a logical conclusion to assume that there are additional victims out there until we have not yet had the opportunity to communicate with,” CISA’s Nick Andersen, executive assistant director for cybersecurity, told reporters on Thursday, describing Brickstorm as a “terribly sophisticated piece of malware.”
The backdoor works across Linux, VMware, and Windows environments, and while Andersen declined to attribute the malware infections to a specific People’s Republic of China cyber group, he said it illustrates the threat PRC crews pose to US critical infrastructure.
“State-sponsored actors are not just infiltrating networks,” Andersen said. “They’re embedding themselves to enable long term access, disruption, and potential sabotage.”
In one incident that CISA responded to, the PRC goons gained access to the organization’s internal network in April 2024, uploaded Brickstorm to an internal VMware vCenter server, and used the backdoor for persistent access until at least September 3.
While in the victim’s network, the crew also gained access to two domain controllers and an Active Directory Federation Services server, which they used to steal cryptographic keys.
Dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims
Google Threat Intelligence, which first sounded the alarm on Brickstorm in a September report, “strongly” recommended organizations run the open-source scanner that Google-owned Mandiant published on GitHub to help detect the backdoor on their appliances.
“We believe dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims,” Google Threat Intelligence Group principal analyst Austin Larsen told The Register. “These actors are still actively targeting US organizations and are evolving Brickstorm and their techniques after our September report.”
[…]
Source: PRC spies Brickstormed their way into critical US networks • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft