Sign up to save your podcasts
Or
Share Brickstorm Bombshell: China's Cyber Spies Caught Red-Handed in Year-Long Hacking Spree
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Brickstorm Bombshell: China's Cyber Spies Caught Red-Handed in Year-Long Hacking Spree
This is your China Hack Report: Daily US Tech Defense podcast.
Alright listeners, I'm Ting, and if you thought the cyber threat landscape was calm lately, buckle up because things just got absolutely wild. Over the past forty-eight hours, the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, and Canada's Cyber Security Centre dropped a bombshell report that's got everyone in the defensive trenches working overtime.
Meet Brickstorm, a nightmare-fuel backdoor that's been quietly embedding itself into American networks since at least 2022. According to CISA, NSA, and the Canadian Centre for Cyber Security, this isn't your run-of-the-mill malware. We're talking about sophisticated, Golang-written backdoor code designed specifically to infiltrate VMware vSphere and Windows environments with the surgical precision of a state-sponsored hacker group from the People's Republic of China. According to Nick Andersen, CISA's executive assistant director for cybersecurity, these actors are not just infiltrating networks—they're embedding themselves to enable long-term access, disruption, and potential sabotage.
The scope is staggering. Austin Larsen from Google Threat Intelligence Group estimates dozens of U.S. organizations have been impacted, and that's just what they've managed to identify. Researchers at CrowdStrike have been tracking this activity under the moniker Warp Panda, and they've documented intrusions dating back to at least 2022. The group has deployed Brickstorm alongside two previously unknown Golang implants called Junction and GuestConduit. What makes this particularly insidious is that once inside, these actors maintain persistence for an average of 393 days—that's over a year of unchecked access to your network.
The initial access vector typically comes from compromised internet-facing edge devices and vulnerabilities in VMware vCenter. Warp Panda exploits CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005 in vCenter, along with CVE-2024-21887 and CVE-2023-46805 in Ivanti Connect Secure. Once they're in, they escalate to domain controllers, steal Active Directory databases, and clone virtual machine snapshots to harvest credentials. They've even been observed creating hidden rogue VMs to maintain persistence while evading detection. According to CrowdStrike, these actors are targeting government agencies, IT firms, legal services, technology companies, and manufacturing entities across North America.
What's particularly dangerous is how Brickstorm communicates. It uses DNS-over-HTTPS, nested TLS, and WebSocket protocols for command-and-control operations. Some variants use VSOCK-based communication engineered specifically for virtualized environments. The malware has the ability to automatically reinstall or restart itself through self-monitoring functions, meaning even if you think you've ejected it, it's already planned its triumphant return. According to researchers and CISA officials, the threat
This content was created in partnership and with the help of Artificial Intelligence AI.
View all episodes
By Inception Point AIThis is your China Hack Report: Daily US Tech Defense podcast.
Alright listeners, I'm Ting, and if you thought the cyber threat landscape was calm lately, buckle up because things just got absolutely wild. Over the past forty-eight hours, the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, and Canada's Cyber Security Centre dropped a bombshell report that's got everyone in the defensive trenches working overtime.
Meet Brickstorm, a nightmare-fuel backdoor that's been quietly embedding itself into American networks since at least 2022. According to CISA, NSA, and the Canadian Centre for Cyber Security, this isn't your run-of-the-mill malware. We're talking about sophisticated, Golang-written backdoor code designed specifically to infiltrate VMware vSphere and Windows environments with the surgical precision of a state-sponsored hacker group from the People's Republic of China. According to Nick Andersen, CISA's executive assistant director for cybersecurity, these actors are not just infiltrating networks—they're embedding themselves to enable long-term access, disruption, and potential sabotage.
The scope is staggering. Austin Larsen from Google Threat Intelligence Group estimates dozens of U.S. organizations have been impacted, and that's just what they've managed to identify. Researchers at CrowdStrike have been tracking this activity under the moniker Warp Panda, and they've documented intrusions dating back to at least 2022. The group has deployed Brickstorm alongside two previously unknown Golang implants called Junction and GuestConduit. What makes this particularly insidious is that once inside, these actors maintain persistence for an average of 393 days—that's over a year of unchecked access to your network.
The initial access vector typically comes from compromised internet-facing edge devices and vulnerabilities in VMware vCenter. Warp Panda exploits CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005 in vCenter, along with CVE-2024-21887 and CVE-2023-46805 in Ivanti Connect Secure. Once they're in, they escalate to domain controllers, steal Active Directory databases, and clone virtual machine snapshots to harvest credentials. They've even been observed creating hidden rogue VMs to maintain persistence while evading detection. According to CrowdStrike, these actors are targeting government agencies, IT firms, legal services, technology companies, and manufacturing entities across North America.
What's particularly dangerous is how Brickstorm communicates. It uses DNS-over-HTTPS, nested TLS, and WebSocket protocols for command-and-control operations. Some variants use VSOCK-based communication engineered specifically for virtualized environments. The malware has the ability to automatically reinstall or restart itself through self-monitoring functions, meaning even if you think you've ejected it, it's already planned its triumphant return. According to researchers and CISA officials, the threat
This content was created in partnership and with the help of Artificial Intelligence AI.