Google and Mandiant Uncover Prolonged Chinese Cyberespionage Campaign

Researchers from Google’s Threat Intelligence Group and its subsidiary Mandiant have revealed new insights into a sophisticated Chinese cyberespionage campaign. The operation, tied to the BrickStorm malware, demonstrates the persistence and evolving tactics of Chinese advanced persistent threat (APT) groups, with attackers maintaining access inside victim networks for over a year.

The Role of BrickStorm

BrickStorm is a stealthy backdoor first observed in 2023 during an attack on MITRE and has since reemerged in operations attributed to UNC5221, a suspected Chinese state-aligned APT. While some analysts link UNC5221 to the broader group Silk Typhoon, Google’s researchers caution against assuming they are the same entity.

In this latest campaign, monitored since March 2025, attackers have expanded their scope, targeting industries such as:

• Legal services

• Software-as-a-service (SaaS) providers

• Technology firms

• Business process outsourcing (BPO) companies

Prolonged Persistence

On average, attackers remained in victim environments for 393 days, underscoring their ability to evade detection. The length of this “dwell time” has made it difficult for researchers to always determine the initial access vector, though in at least one case the hackers are believed to have leveraged an Ivanti zero-day vulnerability.

BrickStorm was found primarily on Linux- and BSD-based appliances, many of which lack support for endpoint detection and response (EDR) tools. While reports suggest a Windows version may exist, Mandiant has not yet confirmed it in active use.

Attack Techniques

The attackers consistently targeted VMware vCenter and ESXi hosts, using BrickStorm as a beachhead:

1. Deploying the malware on network appliances.

2. Capturing valid credentials.

3. Moving laterally to VMware systems to expand control.

BrickStorm established persistence through scheduled tasks and enabled extensive command-and-control communication, allowing for data exfiltration and continued access.

Beyond Espionage: Zero-Day Development

This campaign was not limited to traditional intelligence gathering. According to Charles Carmakal, CTO at Mandiant Consulting, the attackers also stole proprietary source code and intellectual property. The objective appears to be identifying new zero-day vulnerabilities in enterprise technologies that could later be used against downstream customers.

This tactic broadens the campaign’s impact: initial victims lose data and access, while secondary organizations may be targeted through exploited flaws in widely used technologies.

Implications and Future Risks

The campaign highlights two major risks:

• Supply chain exposure: Compromising SaaS providers allows attackers to indirectly reach countless downstream customers.

• Zero-day weaponization: Stolen source code accelerates the discovery of exploitable flaws, extending the campaign’s longevity.

Researchers caution that while these operations may not directly affect every organization, the ripple effects across industries could be severe.

Conclusion

The BrickStorm campaign exemplifies how modern state-backed espionage groups prioritize long-term persistence, supply chain compromise, and zero-day development. For defenders, the findings reinforce the need to:

• Improve monitoring of non-traditional devices like appliances and VMware environments.

• Prioritize detection of lateral movement within networks.

• Recognize the cascading risks posed by supply chain intrusions.

Cybersecurity teams must prepare not just for direct attacks, but also for secondary exposure stemming from compromised service providers and technologies.