Suspected Chinese hackers for months have been quietly hacking their way into the networks and systems of organization in the United States to establish persistence that at times has lasted more than a year and to run operations that range from espionage and IP theft to stealing information and developing new zero-day vulnerabilities.

Researchers with Google’s Threat Intelligence Group (GTIG) and its Mandiant business in a report Wednesday said the threat group is using the BRICKSTORM backdoor to worm its way into the infrastructure of legal firms, software-as-a-service (SaaS) companies, business process outsourcers (BPOs), and technology organizations.

The researchers wrote that they have responded to a range of intrusions since March and are attributing the attacks to the Chinese threat group UNC5221 and “closely related, suspected China-nexus threat clusters that employ sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances.”

UNC5221 is best known for exploiting vulnerabilities in Ivanti firewall offerings, and while the group in some reports has been referred to as Silk Typhoon, the Google researchers believe they are separate entities. Silk Typhoon is an espionage group linked to the Chinese government that’s best known for targeting Microsoft Exchange Servers in 2021 and which Microsoft earlier this year said was changing tactics by targeting IT solutions like remote management tools and cloud applications for initial access.

CrowdStrike in August wrote that Silk Typhoon was targeting North American firms by exploiting zero-day flaws in products from Citrix and Commvault products to access to cloud environments of SaaS providers. The group also is considered responsible for the break-in in December 2024 of the U.S. Treasury Department.

A BRICKSTORM is Coming

In the intrusions tracked by the Google researchers, UNC5221 is using backdoors – primarily BRICKSTORM – to gain long-term access to systems that aren’t protected by typical endpoint detection and response (EDR) tools and are moving lateral through networks and stealing data in way generate little if no security telemetry.

“Appliances are often poorly inventoried, not monitored by security teams, and excluded from centralized security logging solutions,” they wrote.

That and modifications made to the BRICKSTORM backdoor has enabled the hackers to go undetected in victims’ environments for an average of 393 days, though the researchers admitted some logs don’t retain details of instances that far back, so the data of the exact time of the initial intrusion isn’t always available.

During the investigation, the researchers found that BRICKSTOM was being actively developed, with the same core capabilities but different features. One sample included a built-in delay timer with a hard-coded date months in the future when it would start to contact the command-and-control (C2) server.

VMware Hosts Targeted

The backdoor has been found on Linux- and BSD-based systems from multiple manufactures, but while there is a variant of the malware for Windows, its use hasn’t been seen. BRICKSTORM has been found a variety of appliance types, UNC5221 most often targets VMware vCenter and ESXi hosts, and in some cases deployed the backdoor to a network appliance before moving to VMware systems.

“The actor moved laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances,” the researchers wrote. “VMware vCenter is an attractive target for threat actors because it acts as the management layer for the vSphere virtualization platform and can take actions on VMs such as creating, snapshotting, and cloning. In at least two cases, the threat actor used their access to vCenter to clone Windows Server VMs for key systems such as Domain Controllers, SSO Identity Providers, and secret vaults.”

Accessing Email Accounts

The attackers were keen to access the emails of individuals in the targeted organization, using Microsoft Entra ID enterprise applications to access the accounts. These included developers and system admins, while other mailboxes belonged to people who were “involved in matters that align with PRC [People’s Republic of China] economic and espionage interests,” they wrote.

When stealing files from an environment, the hackers used the SOCKS proxy in BRICKSTORM to get into the workstation and directly access systems and web applications. At times, they used legitimate credentials to access the web interface for internal code stores and download repositories as ZIP archives. They also would access specific directories and files on remote machines using Windows UNC paths.

The attacks on laws firms and related organization likely was done to gather information on U.S. national security and international trade, while the SaaS providers were targeted to get access to downstream customer environments or the data the providers hold for their customers. The technology companies were hacked to steal IP to help develop future zero-day exploits, the researchers wrote.