Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Chinese-Linked Malware Campaign Targets Critical Environments With Weak Monitoring
Chinese state-sponsored hackers are deploying a stealthy backdoor across critical infrastructure environments, the U.S. federal government warned in a missive detailing how the Brickstorm malware enables long-term persistence inside VMware vCenter servers and Windows systems.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Nation-state threat actors have used Brickstorm to steal cryptographic keys and clone virtual machine snapshots as part of an effort to harvest credentials. The malware uses multiple layers of encryption for command-and-control, including DNS over HTTPS and can reinstall itself if disrupted, officials said.
The Cybersecurity and Infrastructure Security Agency, National Security Agency and the Canadian Centre for Cyber Security advised operators Thursday to assess their environments and report any suspicious activity to the cyber defense agency. CISA said it analyzed eight Brickstorm samples obtained from victim organizations, including one where the agency performed incident response after Chinese hackers used the backdoor to gain and maintain access to vCenter management consoles and domain controllers.
CISA Executive Assistant Director for Cybersecurity Nick Andersen told reporters during a media briefing that Brickstorm tooling lets operators move laterally, manipulate files, tunnel deeper into networks and create rogue virtual machines inside virtualized environments – all while evading detection through covert techniques and hidden API endpoints. The agency is aware of Chinese nation-state actors targeting U.S. critical infrastructure operators with Brickstorm but Andersen declined to identify which agencies or sectors were affected.
Security analysts said the Brickstorm campaign reflects a sustained Chinese espionage effort that quietly embedded itself across U.S. infrastructure and major service providers for more than a year, targeting environments that traditionally lack strong monitoring. Mandiant reported tracking the activity since March 2025 and found intrusions affecting SaaS vendors, law firms, business process outsourcers and technology providers (see: Mandiant: Chinese Espionage Tool Embedded in US Systems).
The government urged organizations to scan systems with provided YARA and Sigma rules and monitor network edge devices and enforce strict segmentation. Operators should upgrade and harden their vSphere deployments, block unauthorized DNS over HTTPS traffic, restrict service account permissions and increase monitoring for suspicious access patterns, CISA said.
The advisory “underscores the grave threats posed by the People’s Republic of China that create ongoing cybersecurity exposures and costs to the United States, our allies and the critical infrastructure we all depend on,” CISA Acting Director Madhu Gottumukkala said in a statement. He added that state-sponsored actors “are embedding themselves to enable long-term access, disruption and potential sabotage.”