CISA advisory on China's BRICKSTORM malware: “Treat this threat with the seriousness it demands”

A new BRICKSTORM malware advisory released by CISA on Thursday aims to help organizations defend their systems against the backdoor APT – a stealthy, evasive cyberespionage threat already in use by PRC-backed nation-state attackers.

The US Cybersecurity and Infrastructure Security Agency (CISA) report provides critical infrastructure owners with BRICKSTORM indicators of compromise (IOCs), as well as recommended actions for those organizations whose VMware vSphere servers and Windows environments are already compromised by the advanced Trojan.

“This advisory underscores the grave threats posed by the People’s Republic of China (PRC),” said CISA Acting Director Madhu Gottumukkala.

“These state-sponsored actors are not just infiltrating networks — they are embedding themselves to enable long-term access, disruption, and potential sabotage.”

“CISA urges every organization to treat this threat with the seriousness it demands: review the report, implement the recommended mitigations without delay, and report any suspicious activity,” Gottumukkala warned.

Access, identify, mitigate

Collaborating on the malware analysis report with the US National Security Agency (NSA) and Canada’s Centre for Cyber Security, the report “strongly encourages organizations to assess their environments, identify any signs of compromise, and apply the recommended mitigations to strengthen their defenses.”

Recommended actions for organizations to take in the BRICKSTORM analysis include to:

• Scan systems for BRICKSTORM using detection signatures and rules Inventory all network edge devices
• Monitor edge devices for suspicious network connectivity
• Ensure proper network segmentation
• Implement Cross-Sector Cybersecurity Performance Goals (CPG)

The CPG is a baseline set of cybersecurity practices developed by CISA explicitly for critical infrastructure entities (of all sizes), including those within the federal government and IT sectors.

Additionally, CISA urges security analysts to use the “open-source and standardized” Sigma and YARA rule formats to detect any BRICKSTORM intrusions or similar malware.

Organizations are also urged to contact CISA’s 24/7 Operations Center if activity is found.

What is BRICKSTORM?

Linked to PRC state-sponsored cyber actors, BRICKSTORM has been identified by security researchers as the China-Nexus threat actor UNC5221.

In its own analysis of the threat actor, Google’s Mandiant in September found that the espionage campaign had targeted the legal services and technology sectors for more than a year, specifically Software as a Service (SaaS) providers and Business Process Outsourcers (BPOs).

Releasing a scanner tool on GitHub to help organizations with detection, Mandiant described the malware as capable of exploiting appliances without endpoint detection to steal sensitive emails, all while leveraging zero-day flaws for persistence.

BRICKSTORM, which Google has been tracking since 2023, has also been observed exploiting third-party software currently in use by the victim organization.

First discovered in March, Mandiant said BRICKSTORM has been blamed for several past zero-day attacks, including on Ivanti VPN appliances in April, and the subsequent deployment of “the SPAWN ecosystem of malware.”

In October, cybersecurity firm Resecurity warned organizations that BRICKSTORM was at the center of a massive exploit of F5 systems, allowing the hackers to download a portion of F5 BIG IP source code and other F5 products.

The initial discovery led to CISA releasing a critical alert calling the threat an imminent risk to federal agencies.

After the F5 cyberattack, over twenty previously unknown vulnerabilities were disclosed affecting BIG-IP (all modules), F5OS (A/C), and BIG-IP Next (SPK/CNF), with several issues that could enable remote exploitation of internet-exposed management services, the Resecurity research found.

---

Unlock more exclusive Cybernews content on YouTube.