A group of hackers linked to the Chinese government has been caught infiltrating a wide range of US organizations, from technology suppliers and legal firms to SaaS providers. According to Google researchers, the group is using highly sophisticated and evasive malware in a long-term espionage campaign. The attacks are not a smash-and-grab operation; instead, they are characterized by extreme patience and a deep understanding of their targets. This is what makes the campaign so dangerous: it’s designed to be quiet, slow, and hard to detect. It allows the hackers to spend over a year inside a company’s network, quietly siphoning off vast amounts of sensitive data.
At the heart of the attacks is a custom-built backdoor called BRICKSTORM. This malware is specifically designed to be planted on systems that often lack standard security coverage, such as VMware ESXi hypervisors and email gateways. Once in place, BRICKSTORM creates a SOCKS proxy, giving the attackers a covert and persistent way to access the network. In some cases, the hackers also installed another tool, BRICKSTEAL, which is a malicious Java Servlet filter on VMware vCenter servers. This second piece of malware was used to intercept administrator credentials, enabling the attackers to move deeper into the network and further expand their reach.
The extended period of time the malware goes undetected is particularly alarming. Google researchers found that, on average, the hackers were able to remain in a victim’s network for 393 days before they were discovered. This extended “dwell time” gives the attackers an enormous window to collect valuable information, including emails and source code. This level of stealth is unusual and shows a new level of sophistication. This is not just a one-off campaign, but a long-term espionage effort. The attackers are extremely careful, never reusing the same command-and-control IP addresses, which makes them even harder to track.
According to Google, the primary group behind these intrusions is a China-linked threat actor known as UNC5221, which has a history of targeting US organizations with these types of stealthy, long-term operations. While UNC5221 appears to be the main driver, researchers believe other Chinese state-backed groups are also collaborating and sharing tools and infrastructure. This collaboration broadens the campaign’s reach and sophistication. The victims span multiple critical sectors. By compromising technology suppliers and SaaS providers, the attackers are able to gain indirect access to sensitive data belonging to those companies’ customers. They have also specifically targeted law firms, searching the emails of individuals involved in US national security and international trade cases.
This campaign is especially concerning because of its focus on the supply chain. By compromising a single upstream vendor or service provider, the attackers gain indirect access to a wide variety of downstream networks and customers. This is what security experts call a “risk multiplier.” It echoes past large-scale compromises like the SolarWinds attack where trusted suppliers became a pathway for espionage. This means the impact of UNC5221’s activity isn’t confined to individual targets, but threatens to ripple across critical infrastructure, private industry, and even national security, demonstrating how state-backed cyber campaigns are leveraging the interconnectedness of modern IT supply chains to maximize their effectiveness.
Reference:
