Ethical Hacking News
Google has revealed a sophisticated and targeted attack by suspected Chinese spies, who have breached numerous enterprise networks since March this year. The attackers, identified as part of the UNC5221 threat group, have deployed backdoors in their systems, providing them with long-term access to sensitive data. This operation highlights the ongoing threat posed by advanced persistent threats (APTs) and the need for organizations to stay vigilant and proactive in detecting and responding to such attacks.
The UNC5221 threat group has breached numerous enterprise networks since March this year. The attackers have deployed backdoors, providing them with long-term access to sensitive data. The average duration of undetected breach is 393 days. The attackers have used zero-days in buggy Ivanti gear and consistently targeted VMware vCenter and ESXi hosts. The attackers deployed backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools. The threat group is separate from Silk Typhoon (aka Hafnium), believed to be behind the December break-in at the US Treasury Department. The attackers have installed a malicious Java Servlet filter for the Apache Tomcat server, allowing them to capture sensitive credentials. The attackers targeted key individuals within organizations, including developers and system administrators, involved in PRC economic interests. Mandiant Consulting has responded to the break-ins and made available a free scanner to help organizations detect BRICKSTORM activity. Using traditional indicators of compromise (IOCs) is not effective in detecting BRICKSTORM activity; instead, use TTP-based approaches.
Google has revealed a sophisticated and targeted attack by suspected Chinese spies, who have breached numerous enterprise networks since March of this year. The attackers, identified as part of the UNC5221 threat group, have deployed backdoors in their systems, providing them with long-term access to sensitive data. According to Google Threat Intelligence, the average duration of undetected breach is 393 days.
The attackers have used zero-days in buggy Ivanti gear since at least 2023, and have consistently targeted VMware vCenter and ESXi hosts. They have also deployed backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools, making it difficult for organizations to detect the malicious activity.
Google notes that this UNC crew is separate from Silk Typhoon (aka Hafnium), believed to be behind the December break-in at the US Treasury Department. The attackers have also installed a malicious Java Servlet filter for the Apache Tomcat server that runs the web interface for vCenter, allowing them to capture sensitive credentials.
The attackers have used BRICKSTORM, a backdoor written in Go, which includes SOCKS proxy functionality. They have targeted key individuals within organizations, including developers and system administrators, who are involved in matters related to PRC economic interests.
Mandiant Consulting and incident response team has responded to these UNC5221-related break-ins across legal services, SaaS providers, BPOs, and technology companies. The threat intelligence team has made available a free, downloadable scanner to help organizations hunt for BRICKSTORM activity on their networks.
"This group is scaling their capabilities," said Charles Carmakal, Mandiant Consulting Chief Technology Officer. "As more companies scan their systems, we anticipate we'll be hearing about this campaign for the next one to two years."
Carmakal also noted that using traditional indicators of compromise (IOCs) is not effective in detecting BRICKSTORM activity, as the attackers do not reuse C2 domains or malware samples. Instead, organizations should use a Tactics, Techniques, and Procedures (TTP)-based approach to detect patterns of attack.
In one case, the suspected Chinese data thieves gained initial access by exploiting a zero-day vulnerability in an Ivanti Connect Secure edge device. The attackers then deployed BRICKSTORM on the affected system, providing them with persistent access to sensitive data.
The attackers have also removed malware samples from compromised systems, making it difficult for organizations to detect and respond to the attack. In several cases, the presence of BRICKSTORM was observed by conducting forensic analysis of backup images that identified the malware in place.
In conclusion, this sophisticated spy operation highlights the ongoing threat posed by advanced persistent threats (APTs) and the need for organizations to stay vigilant and proactive in detecting and responding to such attacks. The use of zero-days, backdoors, and other sophisticated techniques by APT groups makes it increasingly challenging for organizations to protect themselves against these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Suspected-Chinese-Spy-Operation-Exposed-Numerous-Enterprises-Breached-by-Advanced-Persistent-Threat-ehn.shtml
Published: Wed Sep 24 16:48:21 2025 by llama3.2 3B Q4_K_M
