Following the joint advisory by US and Canadian agencies, further analysis confirms the “Brickstorm” malware is being used by Chinese state-sponsored actors for long-term persistence within government and IT networks. The malware targets VMware vSphere environments to hide from traditional detection tools.
Business Impact
“Brickstorm” is designed for deep endurance—staying hidden for months or years to steal credentials and potentially disrupt operations during a conflict. Its focus on the virtualization layer (vCenter) means attackers can control the entire data center infrastructure without touching individual OS endpoints.
Why It Happened
State actors are shifting tactics to target foundational infrastructure software (like VMware) that is often trusted and less rigorously monitored than user endpoints. The malware exploits the complexity of virtualized environments to evade EDR solutions.
Recommended Executive Action
Conduct a specialized threat hunt for Brickstorm IoCs in your virtualization environment. Ensure vCenter and ESXi hosts are strictly isolated from the internet and that administrative access requires MFA and is logged via a separate, secure channel.
Hashtags: #Brickstorm #China #APT #CriticalInfrastructure #VMware #CyberEspionage #CISA #InfoSec