Cybersecurity officials in the United States and Canada are raising urgent alarms over a far-reaching cyber-espionage operation attributed to China-backed threat actors. Newly released analyses reveal that the intrusion campaign—powered by a sophisticated backdoor known as Brickstorm—has quietly penetrated government and critical infrastructure networks for years, often remaining undetected for more than a year at a time.
During a media briefing Thursday, senior security leaders described a threat that is not only persistent but deeply embedded.
“State-sponsored operators aren’t simply breaching networks—they’re positioning themselves for long-term presence, disruption, and potential sabotage,” said Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA).
A Long-Term Operation Hidden in Plain Sight
According to Google’s Threat Intelligence Group (GTIG), which first warned about the activity earlier this year, Brickstorm has enabled attackers to maintain covert access for an average of nearly 400 days. GTIG principal analyst Austin Larsen said that dozens of U.S. organizations have already been identified as victims, though the true number is expected to be far higher.
Brickstorm is engineered to target VMware vSphere and Windows environments, allowing attackers to move laterally across networks, mask malicious behavior, and automatically reinstall the malware if defenders attempt to remove it. CISA, the NSA, and the Canadian Centre for Cyber Security released technical indicators associated with eight Brickstorm samples recovered from victim networks.
Officials say China state-backed operators are focusing heavily on government agencies, IT service providers, legal firms, and third-party service providers—particularly those whose systems offer downstream access to other organizations.
While Andersen declined to disclose which U.S. federal agencies were affected or what data had been exfiltrated, he acknowledged that the known impact almost certainly represents only a portion of the activity occurring since at least 2022.
Threat Actors Expanding Capabilities and Infrastructure
CrowdStrike, which tracks the group as Warp Panda, and GTIG, which labels it UNC5221, report that the attackers have continued to refine their tools over the past three years. CrowdStrike observed the use of two additional Golang-based implants—Junction and GuestConduit—as part of the same campaign.
“These operators have steadily expanded their infrastructure and evolved their toolset,” said Adam Meyers, CrowdStrike’s senior vice president of counter-adversary operations. “Their ability to exploit cloud misconfigurations and pivot across hybrid environments demonstrates a campaign that remains highly active.”
Meyers noted that the group has stolen configuration files, identity metadata, documents, and email content aligned with Chinese government interests. While no destructive activity has been identified, he warned that the intelligence value of these breaches is enormous.
“Access to cloud-resident data allows a state actor to map internal systems, study organizational dependencies, and position themselves for future operations. This is espionage with strategic reach.”
A 2024 Intrusion Illustrates the Campaign’s Depth
In one incident described by CISA, attackers infiltrated an unnamed organization’s internal network in 2024. Investigators still do not know exactly how the threat actors first gained entry or how initial credentials were obtained.
What is known: the attackers copied the target’s Active Directory database, stole credentials for a managed service provider account, and used that access to reach VMware vCenter servers. They then moved across multiple servers, captured cryptographic keys, escalated privileges, and ultimately deployed Brickstorm deep within the system architecture.
The intrusion highlights significant visibility gaps in many organizations’ security posture—especially when it comes to remote access systems, perimeter appliances, and devices where traditional monitoring tools are limited.
An Evolution in China’s Cyber Tradecraft
Analysts say the Brickstorm operation reflects a notable shift in China’s espionage playbook. Rather than relying primarily on traditional malware or large-scale exploitation waves, this campaign leans heavily on stealth, cloud infiltration, and “living off the land” tactics.
“Compared with earlier China-nexus operations, this campaign shows a sophisticated grasp of multi-cloud ecosystems and the identity services that connect them,” Meyers said.
Larsen added that Brickstorm operators are exceptionally difficult to detect because they focus on appliances and edge devices that organizations frequently overlook.
“These systems are often poorly inventoried and rarely monitored,” he said. “That level of operational security places this campaign among the most evasive nation-state cyber operations tracked today.”
A Campaign With Unknown Endpoints
With key details—such as the total number of victims and specific intelligence losses—still unaccounted for, officials warn that the long-term implications of Brickstorm remain uncertain. What is clear is that the campaign blends espionage, intellectual property theft, and persistent access in ways that give the attackers strategic options far beyond data collection.
As governments and companies continue investigating, cybersecurity agencies emphasize the need for improved visibility across cloud environments, edge devices, and third-party integrations—areas where attackers are most effectively hiding.
