China-linked backdoor malware gave cyber actors access for at least 17 months into numerous organizations’ networks, the Cybersecurity Infrastructure and Security Agency (CISA) warned in a joint-advisory.
The stealthy BRICKSTORM malware used by state-sponsored hackers from the People’s Republic of China (PRC) let those actors embed in government agencies, and IT, legal, and manufacturing sector networks for an extended period of time after using stolen service-account credentials to move through the network, CISA said.
Those credentials were then used to target VMware vSphere and Windows systems, gain higher permissions, plant the BRICKSTORM malware, and lock in long-term hidden access – the repercussions of which CISA, the National Security Agency, and Canadian Centre for Cyber Security are still determining.
“These state-sponsored actors are not just infiltrating networks – they are embedding themselves to enable long-term access, disruption, and potential sabotage,” CISA Acting Director Madhu Gottumukkala said in a statement.
The malware has been used to target at least eight organizations. After analyzing information from victim organizations, CISA said it found that BRICKSTORM can conceal communications, move laterally and tunnel into victim networks, and automatically reinstall or restart the malware if it is disrupted.
CrowdStrike reported that the Warp Panda PRC-linked cyber group has used BRICKSTORM and noted that the group “exhibits a high level of technical sophistication,” according to the cybersecurity company.
The company said that Warp Panda likely used access to networks to gain intelligence information, adding that access to one compromised network likely gave it “rudimentary reconnaissance against an Asia Pacific government entity.”
Alongside BRICKSTORM, CrowdStrike found that Warp Panda deployed two other malwares called Junction and GuestConduit.
CISA provided several indicators that organizations and agencies could use to potentially identify the use of BRICKSTORM malware in their systems.
Nick Andersen, executive assistant director for cybersecurity at CISA, said that “as this cyber threat persists, we strongly encourage organizations to assess their environments, identify any signs of compromise, and apply the recommended mitigations to strengthen their defenses.”