A new US government advisory is warning about BRICKSTORM. This China‑linked malware platform poses a serious and ongoing threat to critical infrastructure. It also threatens other high‑value networks. State-sponsored attackers are already using the backdoor for long-term espionage. It causes disruption and potential sabotage. Officials urge organizations to treat the campaign with “the seriousness it demands.”
CISA’s high‑alert warning
The Cybersecurity and Infrastructure Security Agency (CISA), with the NSA and Canada’s Centre for Cyber Security, has released a detailed analysis of BRICKSTORM. This aims at operators of critical infrastructure and other sensitive environments. The report provides indicators of compromise (IOCs) and step‑by‑step guidance for entities that may already be compromised, as well as baseline mitigations for those seeking to harden their defenses.
CISA notes that BRICKSTORM operators—tied to PRC state‑sponsored actor UNC5221—do far more than simply break into networks. Once inside, they aim to embed themselves deeply, maintaining stealthy access over long periods to facilitate data theft, disruption operations, or future sabotage. CISA’s acting director emphasizes that every organization, not only federal agencies, should urgently review the advisory, implement mitigations, and report suspicious activity.
How BRICKSTORM infiltrates and persists
BRICKSTORM is a stealthy backdoor APT. It focuses on edge devices and appliances. Many of these lack traditional endpoint protection. Research from Mandiant shows the group has been exploiting zero‑day vulnerabilities in these devices to gain initial access and then using the malware to quietly exfiltrate sensitive data such as email.
The malware has been observed:
- Targeting legal services and technology firms, especially SaaS providers and business process outsourcers (BPOs).
- Exploiting third‑party software already deployed in victim environments, which lets it piggyback on trusted platforms.
- Being used in high‑profile zero‑day campaigns, including attacks on Ivanti VPN appliances earlier in the year that led to deployment of a broader “SPAWN” malware ecosystem.
In October, security company Resecurity linked BRICKSTORM to a major exploit against F5 BIG‑IP and related products, where attackers reportedly stole portions of source code and other sensitive data. That incident triggered a critical alert from CISA and the later disclosure of more than 20 previously unknown vulnerabilities across BIG‑IP, F5OS, and BIG‑IP Next, several of which allowed remote exploitation of Internet‑exposed management interfaces.
Why BRICKSTORM is a critical infrastructure threat
What makes BRICKSTORM particularly dangerous is its focus on network edge devices—VPNs, load balancers, and other appliances that sit between internal networks and the Internet. Compromising these systems can give attackers broad visibility and control without triggering the same alerts that traditional endpoint compromises might generate.
Because many critical infrastructure operators rely on such devices for remote access and traffic management, a successful BRICKSTORM intrusion can enable:
- Long‑term, low‑visibility espionage against operational and corporate networks.
- Pre‑positioning for disruptive or destructive actions at a later date.
- Lateral movement into more sensitive systems that are assumed to be shielded by the compromised edge devices.
Given the strategic value of these targets and the use of zero‑days, CISA frames BRICKSTORM as a strategic, nation‑state–level threat, not just another commodity malware family.
Recommended defensive actions
CISA’s advisory outlines a set of immediate and medium‑term measures organizations should adopt to detect and mitigate BRICKSTORM. Key recommendations include:
- Scan for BRICKSTORM using published signatures and rules. Security teams should use the provided IOCs alongside Sigma and YARA rules to hunt for signs of infection across logs and systems.
- Inventory and monitor all edge devices. Organizations should maintain an up‑to‑date list of VPNs, load balancers, and similar appliances, and actively monitor them for unusual network connectivity or configuration changes.
- Ensure robust network segmentation. Proper segmentation limits the ability of attackers to pivot from an edge device into the wider environment. It also helps contain any compromise.
- Implement CISA’s Cross‑Sector Cybersecurity Performance Goals (CPG). These goals offer a practical baseline of cyber hygiene. They are tailored to critical infrastructure of all sizes, including federal and IT entities.
- Aggressively patch and harden exposed services. After the F5 and Ivanti incidents, applying vendor patches and minimizing Internet‑exposed management interfaces are critical steps.
If any BRICKSTORM activity is suspected or confirmed, CISA urges organizations to contact its 24/7 Operations Center for assistance. This is to support broader threat tracking across sectors.
A call to treat BRICKSTORM as a top‑tier risk
BRICKSTORM illustrates a shift in focus by state-sponsored groups. They are increasingly targeting the soft underbelly of modern networks. This includes edge infrastructure and third-party platforms. They are moving away from focusing solely on traditional endpoints. For critical infrastructure operators, the message from CISA and its partners is unambiguous: treat this malware family as a high‑priority, strategic threat, not a routine incident.
By carefully assessing their environments, hunting for compromise, and implementing the recommended mitigations, organizations can significantly reduce the risk of long‑term espionage and disruption enabled by BRICKSTORM and similar advanced persistent threats.
