A highly sophisticated cyber espionage campaign, believed to be linked to China, has been targeting key U.S. industries for over a year, using a stealthy backdoor to remain hidden deep inside corporate networks. According to a new report from Mandiant and the Google Threat Intelligence Group (GTIG), the operation uses a powerful malware known as BRICKSTORM to spy on companies in the legal, tech, software-as-a-service (SaaS), and business process outsourcing (BPO) sectors. The group, tracked as UNC5221, focuses on long-term infiltration, staying inside victim systems for an average of 393 days before being detected.

Who Is Being Targeted and Why?

The hackers have very specific goals depending on the industry they attack. When they target SaaS providers, their main objective is to use that company as a stepping stone to get to the data of their clients. This gives them a way to breach potentially hundreds of other companies by compromising just one.

For the legal and technology sectors, the motive appears to be classic espionage. The attackers are hunting for sensitive information related to U.S. national security and international trade. They are also focused on stealing intellectual property, which could be used to help China develop its own zero-day exploits—powerful software flaws that are unknown to the vendor and have no patch available. By stealing this kind of research, they can advance their own hacking capabilities for future attacks.

How BRICKSTORM Sneaks In and Stays Hidden

One of the biggest challenges for security teams is that BRICKSTORM is designed for stealth. The hacking group gains its initial foothold by exploiting known security flaws, such as the major vulnerabilities discovered in Ivanti Connect Secure VPNs. Once inside, they deploy the BRICKSTORM backdoor on devices that are often a blind spot for security teams, like networking appliances and servers that don’t support traditional endpoint detection and response (EDR) software. This lack of visibility is a key reason they can stay hidden for so long.

The backdoor itself, written in the Go programming language, is a versatile hacking tool. It can set up its own web server, upload and download files, run any command the attackers want, and create a secret tunnel (known as a SOCKS relay) to move data in and out of the network without being noticed. It communicates with the hackers’ control servers using WebSockets, a modern communication method that can be harder to detect than older techniques. Because the hackers are so good at covering their tracks, it has been difficult for investigators to determine exactly how they got in during many of the breaches.

A Constantly Evolving Threat

Evidence shows that the BRICKSTORM malware is not a static tool; it’s being actively developed and improved by the attackers. In one instance, researchers found a version of the backdoor that was programmed with a delay timer. It was designed to lay dormant for months after being installed, only activating on a specific future date. This makes it incredibly difficult to trace the malware’s installation back to the original security breach.

The hackers have also shown great agility when a company starts to fight back. In one case, after an organization began its incident response, the attackers deployed a new BRICKSTORM variant on an internal VMware vCenter server to maintain their access.

To move deeper into the network, the group uses another custom tool called BRICKSTEAL. This malicious software acts as a filter for Apache Tomcat servers, a common web technology. It was used to steal high-level vCenter credentials. What made it so stealthy was its ability to modify the server’s code directly in its active memory, without writing a file to the disk or requiring a restart. Once they had these powerful credentials, the hackers created exact clones of the most critical servers, such as Domain Controllers and systems that store company secrets, to steal data without disrupting operations.

The Ultimate Goal: Stealing Sensitive Information

After establishing deep and persistent access, the campaign’s primary goal becomes clear: to access the emails of key individuals. The attackers target developers, system administrators, and other employees who handle information that aligns with China’s economic and intelligence-gathering interests.

Using BRICKSTORM’s SOCKS proxy feature, they create a direct, hidden tunnel into the company’s network. This allows them to access email servers and other sensitive applications as if they were an employee sitting inside the office, giving them unfettered access to valuable communications and data.

Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, called the campaign a “significant threat” because of its sophistication and its focus on high-value targets. He warned, “The access obtained by UNC5221 enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities.” Google has released a scanner to help organizations find signs of BRICKSTORM on their Linux and BSD-based systems, urging all companies to actively hunt for this threat, especially on devices that lack standard EDR security coverage.