This week, the National Security Agency (NSA) announced that they are joining the Cybersecurity and Infrastructure Security Agency (CISA) and the Canadian Centre for Cyber Security to detail the broad campaign of China state-sponsored cyberactors using the Brickstorm malware for long-term persistence on victim systems.
Brickstorm malware is a sophisticated, stealthy backdoor malware used by China-linked, state-sponsored cyberactors (tracked as UNC5221 or WARP PANDA) to infiltrate and maintain long-term, covert access to targeted networks, primarily in the U.S. legal services, SaaS, technology, government, and critical infrastructure sectors. Essentially, this is a "backdoor" that gives the hackers secret, long-term access and control over a compromised system.
The campaign came to light after it was found that Brickstorm has been used to infiltrate U.S. government, tech, and critical infrastructure organizations, sometimes remaining undetected for more than a year. The malware was discovered after hackers used it to compromise VMware vSphere, a widely used cloud computing platform. Once inside, they were able to steal passwords, alter system files, and even create hidden virtual machines to maintain access.
Why is this important, you might ask? Brickstorm represents a major shift in cyber-espionage tactics. Instead of targeting individual devices, it embeds itself in the core infrastructure organizations rely on every day. It’s designed for quiet, long-term intelligence gathering and hides in layers of the system where traditional security tools rarely look. Because it targets foundational systems, a successful compromise could disrupt essential services or give attackers access to large volumes of sensitive data.
Security agencies strongly encourage organizations, especially those in critical infrastructure, to perform rigorous assessments and implement recommended mitigations to detect and defend against this threat. Scanning for signs of the malware, strengthening network segmentation, and blocking hidden communication methods are good steps to help limit where the malware can hide and how it can communicate.
For universities like ours, the Brickstorm campaign is a reminder that cybersecurity isn’t only about personal devices or phishing emails. Much of the digital work we rely on for things like research computing, student systems, and online learning runs on virtualized infrastructure; if the foundation is compromised, everything built on top of it is at risk.
The good news is that awareness is growing, and the U.S. response shows a clear commitment to confronting these threats early and publicly. Still, Brickstorm highlights a new era of cyber-espionage, one in which adversaries are willing to invest the time and skill needed to reach the deepest layers of our technology. Understanding what we are up against is the first step in protecting our community.