A new warning issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security documents an ongoing campaign by Chinese hackers making use of the sophisticated BRICKSTORM malware to target public sector organizations and IT companies for long-term espionage purposes. The average dwell time for these documented breaches is a little over a year, and the total victim count is impossible to know at this point.
The BRICKSTORM malware was first documented by Google security researchers in 2024 and is considered one of the most advanced current threats. It targets Windows and VMware vSphere environments and serves as a long-term backdoor for stealthy data exfiltration. It has numerous advanced obfuscation features and will also reinstall itself if removed or disrupted. Once inside a target network, the Chinese hackers look to capture legitimate credentials through various means and create hidden virtual machines to conceal their activities.
Chinese hackers may have been active since 2022
Though BRICKSTORM first came to broad attention in 2024, the researchers believe the Chinese hackers may have been successfully running this campaign since as far back as 2022. The average dwell time among documented victims of the malware is 393 days. If true, this would mean the attackers had been actively penetrating targets with this approach for at least two years before even being detected by security resear
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
"id": "CIS1765238766",
"linkid": "cisagov",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'customers_affected': None,
'industry': ['Government',
'Information Technology'],
'location': None,
'name': None,
'size': None,
'type': ['Public sector organizations',
'IT companies']}],
'attack_vector': 'Malware (BRICKSTORM)',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Sensitive data']},
'date_detected': '2024',
'description': 'An ongoing campaign by Chinese hackers using the '
'sophisticated BRICKSTORM malware to target '
'public sector organizations and IT companies for '
'long-term espionage purposes. The malware '
'targets Windows and VMware vSphere environments, '
'serving as a long-term backdoor for stealthy '
'data exfiltration with advanced obfuscation '
'features and self-reinstallation capabilities.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Credentials, sensitive data',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Long-term backdoor access, '
'stealthy data exfiltration',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Windows', 'VMware vSphere']},
'initial_access_broker': {'backdoors_established': 'Yes '
'(BRICKSTORM '
'malware)',
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Espionage',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Advanced malware '
'(BRICKSTORM) with '
'obfuscation and '
'persistence features'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'CISA, NSA, Canadian Centre for Cyber '
'Security',
'url': None},
{'date_accessed': None,
'source': 'Google security researchers',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'Chinese hackers',
'title': 'BRICKSTORM Malware Campaign by Chinese Hackers',
'type': 'Espionage'}