Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Researchers Uncover Covert Chinese Access to US Service Provider Infrastructure
In a significant cybersecurity revelation, researchers have elucidated a long-running Chinese-linked cyberespionage campaign that infiltrated U.S. infrastructure and various enterprise service providers for over a year. This development highlights the persistent threats posed by nation-state actors, particularly in the realm of cyber warfare.
According to a recent blog post by Mandiant, a Google-owned threat intelligence firm, the campaign—dubbed “Brickstorm”—has been monitored since March 2025. It has affected diverse sectors, including legal services, software-as-a-service providers, business process outsourcers, and technology firms. Mandiant suggests that the objectives of the Brickstorm campaign extend beyond standard espionage, potentially aimed at the creation of zero-day exploits and facilitating broader access to downstream targets.
The report indicates that Brickstorm is linked to a specific cluster of Chinese threat actors identified as UNC5221. This campaign targets infrastructures and appliances that are often overlooked in traditional security measures, allowing for long-term and low-visibility access. By compromising high-value service providers, attackers can move laterally into sensitive environments, indicating a shift towards sophisticated and ongoing espionage tactics.
Brickstorm employs a custom Go-based backdoor featuring SOCKS proxy capabilities, specifically engineered for Linux and BSD appliances that typically lack robust endpoint detection and response. Mandiant has detected multiple variants of this malware utilizing obfuscation, delayed signaling, and masquerading tactics to evade cybersecurity defenses. Frequent deployments have been observed on VMware ESXi and vCenter systems.
In prior reports, Mandiant linked the same threat group to malware found on Ivanti VPN appliances in April, where attackers attempted to manipulate the Ivanti Integrity Checker Tool to elude detection. This demonstrates the advanced capabilities and persistence exhibited by the threat actors.
The report further describes how the attackers have a nuanced understanding of appliance-level vulnerabilities, executing modified startup scripts, web shells, and in-memory payloads to maintain persistence while avoiding detection. Researchers noted that the attackers actively monitored incident response measures and deployed new Brickstorm variants to re-establish access in real time.
Mandiant also highlighted that Brickstorm malware is crafted to blend into the system’s legitimate processes. This includes tailored file names and functionality to mimic regular operations. Additionally, the report mentioned the utilization of digital services to manage command-and-control infrastructure, ensuring that distinct domains are used for different victims to obscure their tactics.
