Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.

Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.

The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.

By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.

The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored. 

The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.

“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.” 

Sneaky, sneaky

The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks. 

Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.

The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.

The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”

Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.

What they want

Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”

The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.

The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”

But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.

Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.

The response

Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.

The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.

“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”

It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.

Updated 9/24/25: with additional information about past Brickstorm reporting.

The post Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign appeared first on CyberScoop.

The United Kingdom has withdrawn its demand that Apple create a backdoor to its encrypted cloud systems following months of diplomatic pressure from the United States, according to a statement from Director of National Intelligence Tulsi Gabbard.

Gabbard announced the decision Monday on X, stating that the U.S. government had worked closely with British partners “to ensure Americans’ private data remains private and our Constitutional rights and civil liberties are protected.”

The reversal marks a significant development in the ongoing global debate over government access to encrypted communications and represents a victory for American officials concerned about protecting U.S. citizens’ digital privacy rights. 

The British government’s original demand came through a technical capability notice issued in January 2025 under the country’s Investigatory Powers Act. The order would have required Apple to provide blanket access to end-to-end encrypted cloud data, including information belonging to users outside the United Kingdom.

Apple responded to the British demand by disabling its Advanced Data Protection feature for U.K. users in February 2025. The feature provides end-to-end encryption for iCloud data storage, making it inaccessible even to Apple itself.

The company expressed disappointment with the requirement, stating it had never built backdoors into its products and never would. Apple subsequently appealed the order’s legality through the Investigatory Powers Tribunal, which denied the British government’s attempts to keep the proceedings secret.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K., given the continuing rise of data breaches and other threats to customer privacy,” Apple said at the time.

American lawmakers had expressed significant concern about the U.K.’s encryption demands. In February, Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., wrote to Gabbard arguing that forcing Apple to create backdoors would “seriously threaten the privacy and security of both the American people and the U.S. government.”

The lawmakers noted that Apple does not create different encryption software for different markets, meaning any backdoor created for British authorities would potentially affect American users. They suggested the U.S. should reconsider its cybersecurity and intelligence-sharing arrangements with the U.K. if Apple were forced to comply with the demands.

The dispute echoes previous conflicts between Apple and government authorities over encryption access. In 2015, Apple engaged in a prolonged legal battle with the U.S. government over providing access to an iPhone belonging to a terrorist who carried out the San Bernardino attack. The FBI ultimately gained access through a third-party vendor after Apple refused to create custom software to bypass the device’s security.

The post UK abandons Apple backdoor demand after US diplomatic pressure appeared first on CyberScoop.

Ben Lovejoy reports: We learned earlier this year that the British government had secretly ordered Apple to create a backdoor into encrypted data for all iCloud users worldwide. Specifically, it wanted a way to see personal data protected by Apple’s introduction of Advanced Data Protection (ADP), which extended end-to-end encryption to almost all iCloud data, meaning not even the iPhone maker could access...

Lawrence Hoffman // As I previously mentioned I’m on vacation this week and next. As I like to go for long cross-country drives I’ve not had much time to keep […]

The post Lawrence’s List 070116 appeared first on Black Hills Information Security, Inc..