- Google warns UNC5221 targeted US legal, tech, and SaaS firms with Brickstorm malware for over a year
- Campaign aimed at espionage, intellectual property theft, and long-term infrastructure access
- Mandiant urges TTP-based threat hunting and stronger authentication to counter future attacks
US organizations across the legal, technology, SaaS, and business process outsourcing sectors were targeted by a new malware variant named Brickstorm for over a year, leading to major data loss, experts have warned.
Google’s Threat Intelligence Group (GTIG) found the threat actors behind the campaign are UNC5221, a suspected China-nexus threat known for stealthy operations and long-term persistence.
This group first targeted zero-day vulnerabilities in Linux devices and BSD-based appliances, since these are often overlooked in asset inventories and excluded from central logging. As such, they make for an ideal foothold for the attackers.
Cyber-espionage
Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials, and exfiltrate data with minimal telemetry. In some cases, the malware remained undetected for more than a year, since the average dwell time was said to be a mighty 393 days.
In many cases, they would pivot from fringe devices to VMware vCenter and ESXi hosts, using stolen credentials to deploy Brickstorm and escalate privileges.
To maintain persistence, they modified startup scripts and deployed webshells that allowed for remote command execution. They cloned sensitive virtual machines without even powering them on, and thus avoiding triggering security tools.
The campaign’s objectives appear to span geopolitical espionage, intellectual property theft, and access operations.
Since legal companies were targeted as well, the researchers suspected UNC5221 was interested in US national security, and trade topics, while targeting SaaS providers could have been used to pivot into downstream customer environments.
To counter Brickstorm, Mandiant recommends a threat-hunting approach based on tactics, techniques, and procedures (TTPs) rather than atomic indicators, which have proven unreliable due to the actor’s operational discipline.
The researchers urged businesses to update asset inventories, monitor appliance traffic, and enforce multi-factor authentication.
