In this episode of The Cyber Resilience Brief, host Tova Dvorin and SafeBreach offensive security expert Adrian Culley unpack BrickStorm — a highly sophisticated espionage operation attributed to China-nexus group UNC5221. With an average dwell time of 393 days, this campaign redefines stealth and persistence in cyber warfare.

Discover how attackers are “living off the blind spot” by exploiting critical infrastructure gaps in VPNs, VMware vCenter servers, and ESXi hosts — areas traditional security tools can’t see. Adrian breaks down their use of Go-based malware, delayed activation, and a genius offline credential theft technique that clones virtual machines to exfiltrate data undetected.

The episode also explores the strategic implications of this new evolution in supply chain attacks, where adversaries steal today to weaponize tomorrow, and how organizations can defend themselves through proactive security testing, Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART).

Key topics:

UNC5221’s long-term espionage and data exfiltration tactics

How attackers evade EDR and traditional defenses

Why BrickStorm represents the “next level” in nation-state cyber operations

How BAS and CART expose and close blind spots before attackers do