Researchers have tracked a stealthy “next-level” Chinese hacking campaign dubbed “BRICKSTONE” that targets and maintains persistent access to legal services and technology companies by stealing intellectual property, mining intelligence on national security and trade while developing other cyberattacks for the future.
More details are available here: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
Ensar Seker, CISO at SOCRadar, commented:
“This Brickstorm campaign marks a striking evolution in adversary tradecraft. What makes it “next level” is not simply the long dwell times or precision targeting, though both are alarming, but rather the strategic layering of access, reconnaissance, and supply-chain influence. By infiltrating tech security and legal services firms, the attackers don’t just get to access those environments, they gain pathways into their clients and partners, giving them a multiplier effect on reach. Some of those downstream systems may not even realize they’ve been compromised yet.
“The motivation here is long-term, not opportunistic. Brickstorm’s operators are methodically exfiltrating intellectual property and internal designs, which gives them a unique insight into how to bypass defenses and identify zero-day opportunities. In effect, they’re embedding themselves into the ecosystem, harvesting the same tools and knowledge base they hope to exploit later. That kind of foresight suggests a campaign designed not just for espionage, but for building capabilities that can support multiple future attacks.
“From a defensive posture, this raises the bar. Security firms, the very guardians of trust, must now treat themselves as high-priority targets in their own right. That means rethinking how we design isolation, telemetry, and insider-monitoring within security operations. It means segmenting access zones not just for customers, but even among internal service components. It demands relentless threat hunting, especially in trust relationships and client integrations. In practical terms, organizations should assume that any vendor they trust may be compromised, not eventually, but right now. That means requiring stricter attestation, enforcing zero-trust architectures around vendor connections, validating every cross-tenant data flow, and adopting reciprocal visibility with those vendors. The fact that Brickstorm is already leveraging downstream infiltration highlights just how fragile the boundary between ‘client’ and ‘supplier’ has become.
“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party.”
I am actually quite disturbed by this as this sounds like the cold war all over again. This highlights the fact that the bad guys come in all shapes and sizes as well as agendas.
UPDATE: Cybercrime expert and VP of Cyber Risk for HITRUST, Tom Kellermann had this to say
“Since the Titan Rain campaign, China has pursued an insurgency strategy in American cyberspace, maintaining persistent access through sophisticated backdoors, like BRICKSTORM that serve as the cornerstone of their economic espionage operations. These initial compromises enable secondary infections and lateral movement across networks, creating a cascading security threat that must be systematically eradicated to protect both national and economic security.”
Like this:
Like Loading...
Related
This entry was posted on September 25, 2025 at 3:37 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Stealthy BRICKSTORM Backdoor Enables Espionage into Tech and Legal Sector
Researchers have tracked a stealthy “next-level” Chinese hacking campaign dubbed “BRICKSTONE” that targets and maintains persistent access to legal services and technology companies by stealing intellectual property, mining intelligence on national security and trade while developing other cyberattacks for the future.
More details are available here: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
Ensar Seker, CISO at SOCRadar, commented:
“This Brickstorm campaign marks a striking evolution in adversary tradecraft. What makes it “next level” is not simply the long dwell times or precision targeting, though both are alarming, but rather the strategic layering of access, reconnaissance, and supply-chain influence. By infiltrating tech security and legal services firms, the attackers don’t just get to access those environments, they gain pathways into their clients and partners, giving them a multiplier effect on reach. Some of those downstream systems may not even realize they’ve been compromised yet.
“The motivation here is long-term, not opportunistic. Brickstorm’s operators are methodically exfiltrating intellectual property and internal designs, which gives them a unique insight into how to bypass defenses and identify zero-day opportunities. In effect, they’re embedding themselves into the ecosystem, harvesting the same tools and knowledge base they hope to exploit later. That kind of foresight suggests a campaign designed not just for espionage, but for building capabilities that can support multiple future attacks.
“From a defensive posture, this raises the bar. Security firms, the very guardians of trust, must now treat themselves as high-priority targets in their own right. That means rethinking how we design isolation, telemetry, and insider-monitoring within security operations. It means segmenting access zones not just for customers, but even among internal service components. It demands relentless threat hunting, especially in trust relationships and client integrations. In practical terms, organizations should assume that any vendor they trust may be compromised, not eventually, but right now. That means requiring stricter attestation, enforcing zero-trust architectures around vendor connections, validating every cross-tenant data flow, and adopting reciprocal visibility with those vendors. The fact that Brickstorm is already leveraging downstream infiltration highlights just how fragile the boundary between ‘client’ and ‘supplier’ has become.
“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party.”
I am actually quite disturbed by this as this sounds like the cold war all over again. This highlights the fact that the bad guys come in all shapes and sizes as well as agendas.
UPDATE: Cybercrime expert and VP of Cyber Risk for HITRUST, Tom Kellermann had this to say
“Since the Titan Rain campaign, China has pursued an insurgency strategy in American cyberspace, maintaining persistent access through sophisticated backdoors, like BRICKSTORM that serve as the cornerstone of their economic espionage operations. These initial compromises enable secondary infections and lateral movement across networks, creating a cascading security threat that must be systematically eradicated to protect both national and economic security.”
Share this:
Like this:
Related
This entry was posted on September 25, 2025 at 3:37 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.