Cybersecurity authorities and threat analysts unveiled alarming details Thursday about a suspected China state-sponsored espionage and data theft campaign that Google previously
warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
“State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
“We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
CISA, the National Security Agency and the Canadian Centre for Cyber Security released an
analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.
China state-sponsored attackers are primarily implanting Brickstorm into the networks of organizations in government, IT and legal services, and targeting edge devices, software as a service providers and business process outsourcers to gain access to downstream targets, according to officials and researchers.
Andersen declined to say how many government agencies have been impacted or the type of data stolen, but the scope of assumed impact is far greater than what’s been uncovered to date. “I think it’s a logical conclusion to assume that there are additional victims out there that we have not yet had the opportunity to communicate with,” he said.
cyberscoop.com
