CISA Details BRICKSTORM Malware Used by PRC Hackers for Long‑Term Access in U.S. Networks
Recent analysis by U.S. government cybersecurity agencies has revealed a sophisticated intrusion framework, dubbed BRICKSTORM, used by state-sponsored threat actors linked to the People’s Republic of China to maintain long-term, covert access in U.S. networks. The framework combines stealthy initial access, encrypted command-and-control, and modular post-exploitation tooling designed to persist across reimaging and standard incident response workflows. This campaign underscores a strategic focus on pre-positioning within critical infrastructure and government-adjacent environments.
Overview of the BRICKSTORM Campaign
BRICKSTORM is characterized not as a single piece of malware, but as a multi-component intrusion ecosystem supporting reconnaissance, credential theft, lateral movement, and long-term persistence. Operators deploy the framework after initial compromise via known and zero-day vulnerabilities in internet-facing services, remote access solutions, and network appliances, frequently chaining vulnerabilities to bypass network segmentation. The campaign is assessed to be operational for an extended period, with infrastructure and tooling iteratively updated to evade detections.
Architecture and Modularity
The BRICKSTORM framework is composed of several interoperable modules that can be selectively deployed based on the target environment and the threat actor’s operational goals. A lightweight loader component establishes an initial foothold, decrypts and loads subsequent payloads in memory, and employs environmental checks to avoid analysis sandboxes. Post-exploitation modules are then staged to perform discovery, credential access, data collection, and command execution. This decoupled design enables rapid replacement or updating of individual modules without altering the loader’s observable behavior, complicating signature-based detection efforts.
Initial Access Vectors
Initial access commonly leverages exploitation of unpatched vulnerabilities in edge devices and public-facing services, including VPN gateways, web application frameworks, and remote management interfaces. The operators frequently target n-day flaws that remain unpatched in many organizations, exploiting gaps between vendor advisories and enterprise remediation. In some instances, spearphishing with malicious attachments or links is used to establish a beachhead, particularly against administrators or privileged IT staff, followed by deployment of BRICKSTORM components through existing remote management tools.
Persistence and Defense Evasion
Persistence mechanisms in BRICKSTORM emphasize resilience against routine remediation steps. The framework employs techniques such as installing malicious services under benign names, modifying startup scripts, and planting payloads in obscure but legitimate-looking directories. In some cases, the actors leverage device firmware or configuration abuse on network appliances to reinsert malicious components after reboots or partial reimaging. To evade detection, BRICKSTORM frequently uses encrypted or obfuscated configuration files, hides its activity within legitimate processes, and makes minimal changes to host configuration to blend with baseline system behavior.
Command-and-Control Infrastructure
BRICKSTORM’s command-and-control (C2) channels typically rely on HTTPS-based communication to blend into normal web traffic, with traffic patterns designed to mimic legitimate user or application behavior. Operators employ domain fronting–like traffic patterns, rapidly changing domains, and cloud-hosted infrastructure to complicate blocking efforts. The framework supports multiple fallback C2 channels, ensuring continued access if a subset of infrastructure is identified and taken down. Encrypted tasking and data exfiltration are encapsulated in periodic, low-volume requests, reducing the likelihood of detection via traffic-volume anomalies.
Credential Access and Lateral Movement
After establishing a stable foothold, BRICKSTORM operators prioritize harvesting credentials and long-lived tokens, targeting both operating system stores and application-specific secrets. Techniques include memory scraping, abuse of legitimate command-line tools, and leveraging privileged access to directory services. Lateral movement often proceeds via remote services such as SMB, RDP, and vendor-specific management protocols, carefully mapped out through extensive network and Active Directory reconnaissance. The campaign favors “living off the land” techniques where possible to reduce the malware footprint and rely on tools already present in the environment.
Targeting of U.S. Critical Infrastructure and Government-Adjacent Networks
The campaign focuses on organizations associated with critical infrastructure sectors, technology suppliers, managed service providers, and entities that provide operational support to federal, state, and local agencies. This targeting pattern suggests an emphasis on pre-positioning within networks that, if disrupted, could yield strategic impact during geopolitical crises. In many instances, compromised organizations serve as stepping stones, allowing the attackers to pivot into higher-value networks via trusted connections, shared credentials, or federated authentication.
Indicators and Detection Opportunities
Despite heavy emphasis on stealth, BRICKSTORM deployments generate observable artifacts that can assist in detection. This includes anomalous service entries with nonstandard display names, unusual parent-child process relationships tied to system utilities, unexpected scheduled tasks, and beacon-like outbound network connections to rare or recently registered domains. Host-based telemetry capturing process command lines, PowerShell invocation patterns, and script block logging can surface post-exploitation activity. Network defenders can also monitor for encrypted outbound connections from systems or network segments that typically do not initiate web traffic.
Recommendations for Defenders
Defenders are advised to prioritize patching of edge devices and internet-facing services, implement strict access controls on remote management tools, and enforce multifactor authentication on privileged accounts. Segmentation between administrative systems, user workstations, and critical operational technology reduces lateral movement opportunities if a foothold is obtained. Continuous monitoring using endpoint detection and response platforms, combined with network-based anomaly detection, can improve the chance of identifying BRICKSTORM activity in its early stages. Organizations with limited in-house capability should consider proactive threat hunting engagements and review of historical logs for signs of long-term persistence.
Strategic Implications
The BRICKSTORM revelations highlight an ongoing trend of state-sponsored actors investing in frameworks designed for durable, low-noise access rather than short-lived, high-impact operations. This approach complicates traditional incident response playbooks that assume a discrete incident timeline and a clear eradication path. Moving forward, organizations operating in or supporting critical sectors must treat stealthy pre-positioning as a persistent risk and adopt security strategies built around continuous validation, assumptions of compromise, and long-term adversary engagement rather than purely reactive remediation.