BRICKSTORM Malware: How Chinese Sponsored Operators Embedded Long Term Access Inside US and Canadian Networks

A newly released joint advisory from the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Canadian Centre for Cyber Security warns that state sponsored cyber actors linked to the People’s Republic of China are deploying a sophisticated persistence focused malware family known as BRICKSTORM. The discovery has raised immediate concern within both federal agencies and the commercial IT sector, particularly among organizations that depend on remote management tools and shared infrastructure.

Executive Summary of the BRICKSTORM Campaign

According to the agencies, BRICKSTORM is designed for durable, stealthy persistence on victim networks. The malware enables operators to quietly maintain access for extended periods, collect intelligence and stage further operations across interconnected government and private sector systems.

The joint Malware Analysis Report includes indicators of compromise, detection signatures and analysis of eight known BRICKSTORM samples. Authorities urge organizations to immediately adopt these signatures to identify infections and prevent continued lateral movement.

How BRICKSTORM Operates

Technical analysis shows that BRICKSTORM is engineered with modular persistence mechanisms built to outlast system reinstalls, credential resets and traditional endpoint security defenses.

Researchers have identified several key capabilities:

• Persistent foothold mechanisms leveraging scheduled tasks, service manipulation and low level system processes.
• Command and control communications that blend into routine network traffic.
• Stealthy credential gathering to support lateral movement efforts.
• Targeted data exfiltration routines prioritizing system architecture details and authentication records.

The malware’s focus on maintaining long term control suggests that its primary goal is strategic intelligence collection rather than short term disruption.

Why Government and IT Supply Chains Are at Risk

BRICKSTORM has been observed targeting organizations with broad access to infrastructure, including federal agencies, managed service providers and technology vendors. These environments offer attackers multiple pathways to downstream customers and sensitive government systems.

Compromise of an IT provider enables adversaries to silently spread across interconnected networks, a tactic seen repeatedly in recent nation state operations. For organizations in the defense, energy and government sectors, such an intrusion can expose critical operational data and weaken long term national security posture.

Key Actions Recommended by Federal Agencies

The advisory outlines clear steps organizations should take immediately:

• Use the provided IOCs and detection signatures to identify BRICKSTORM samples.
• Report any detection of BRICKSTORM, similar malware or suspicious activity to CISA, the Cyber Centre or the appropriate authority.
• Review administrative access points and privilege escalation paths that could support long term persistence.
• Ensure endpoint monitoring is configured to alert on abnormal scheduled tasks, DLL modifications and suspicious authentication events.

Failure to act quickly increases the risk of adversaries maintaining undetected access for months or even years.

Indicators of Compromise Provided

The agencies have released a full downloadable set of indicators tied to BRICKSTORM activity. These include file hashes, registry modifications, network signatures and process artifacts observed across multiple samples.

Organizations are strongly encouraged to integrate these indicators into SIEM, SOC alerting systems and network detection tooling to identify infections with high fidelity.

Detection Through YARA and Sigma Rules

The malware analysis report includes both YARA and Sigma rules designed to detect BRICKSTORM across diverse environments, from endpoint devices to enterprise log aggregation systems.

These rules provide defenders with pattern based detection that does not rely solely on known file hashes, helping identify variants and modified samples used in active intrusion campaigns.

Implications for National Security and Infrastructure Trust

The presence of BRICKSTORM in networks supporting government operations indicates a long term effort by Chinese sponsored groups to position themselves inside strategic infrastructure. With this level of persistence, adversaries can observe sensitive processes, harvest authentication material and stage further attacks with minimal detection.

Widespread use of the same remote management and IT service tools across industries amplifies the risk. A compromise at one service provider may cascade into multiple sectors, including defense, transportation and critical manufacturing.

What Organizations Should Do Now

Federal agencies recommend that organizations adopt a proactive stance and assume compromise until proven otherwise.

• Run immediate scans using the provided IOCs, YARA and Sigma rules.
• Audit privileged accounts and remove unused or unnecessary elevated access.
• Increase network logging and inspect for unusual outbound connections.
• Isolate suspicious hosts for deeper forensic analysis.

Supply chain partners, contractors and IT vendors should be prioritized for security assessments due to their elevated access to government and enterprise environments.

A New Phase in State Sponsored Persistence Operations

The BRICKSTORM campaign demonstrates how state sponsored actors are shifting toward deeply embedded access strategies that prioritize stealth and long term intelligence collection. As geopolitical tensions continue to evolve, these operations are expected to expand in scale and sophistication.

For organizations across North America, rapid adoption of the released detection tools and close coordination with federal cybersecurity authorities will be essential to interrupt adversary operations and restore confidence in critical systems.