{"id":17769,"date":"2025-10-03T04:00:18","date_gmt":"2025-10-03T04:00:18","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=17769"},"modified":"2025-10-03T04:00:18","modified_gmt":"2025-10-03T04:00:18","slug":"brickstorm-espionage-campaign","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2025\/10\/03\/brickstorm-espionage-campaign\/","title":{"rendered":"BRICKSTORM Espionage Campaign"},"content":{"rendered":"\n\n\n\n <\/colgroup>\n\n\n\n\n
\n

\n What is the Attack?\n <\/p>\n<\/td>\n

\n

\n BRICKSTORM is a stealthy, Go-based backdoor deployed by the China-nexus actor UNC5221, enabling long-term persistence and espionage via compromised network appliances in US organizations.\n <\/p>\n

\n Since March 2025, GTIG (Google Threat Intelligence Group) and Mandiant have tracked BRICKSTORM activity impacting legal services, SaaS, BPO, and technology firms. The campaign suggests objectives beyond espionage \u2014 including theft of intellectual property, support for zero-day development, and establishing supply-chain pivot points.<\/p>\n

BRICKSTORM capabilities include:\n <\/p>\n

    \n
  • \n

    \n Stealthy persistence by embedding in startup scripts.\n <\/p>\n<\/li>\n

  • \n

    \n Proxying internal\/external traffic via SOCKS relay.\n <\/p>\n<\/li>\n

  • \n

    \n Credential theft.\n <\/p>\n<\/li>\n

  • \n

    \n Exfiltration of sensitive data and mailbox access.\n <\/p>\n<\/li>\n

  • \n

    \n Anti-forensics to evade detection.\n <\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n

\n

\n What is the recommended Mitigation?\n <\/p>\n<\/td>\n

\n
    \n
  • \n

    \n Patch & Harden Appliances: Apply vendor updates and restrict outbound connectivity from management interfaces.\n <\/p>\n<\/li>\n

  • \n

    \n Network Monitoring: Watch for unusual DNS-over-HTTPS (DoH) activity or outbound traffic from appliances.\n <\/p>\n<\/li>\n

  • \n

    \n Threat Hunting: Use YARA rules and forensic scans on appliances\/backups to detect BRICKSTORM.\n <\/p>\n<\/li>\n

  • \n

    \n Access Controls: Enforce MFA for vCenter and monitor VM cloning activity.\n <\/p>\n<\/li>\n

  • \n

    \n Incident Response: Treat compromised appliances as untrusted and rebuild with verified images.\n <\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n

\n

\n What FortiGuard Coverage is available?\n <\/p>\n<\/td>\n

\n