US & Canada Issue Urgent Warning on Chinese-Linked "Brickstorm" Malware Threat
Recent advisories from U.S. and Canadian cybersecurity agencies have unveiled a persistent and sophisticated threat from state-backed, Chinese-linked hacking groups. These groups are reportedly employing advanced malware, dubbed "Brickstorm," to infiltrate government and information technology entities, establishing long-term access for potential disruption and sabotage.
Unveiling the "Brickstorm" Threat
The joint warning, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security, highlights a disturbing trend of Chinese hackers specifically targeting critical infrastructure. Madhu Gottumukkala, CISA's acting director, emphasized that these elaborate operations aim to embed hackers deep within sensitive networks. This prolonged access is not merely for data exfiltration but to enable future disruptions or even acts of sabotage on vital systems.
China Denies Allegations Amid Escalating Concerns
Chinese authorities, however, have vehemently denied these allegations. Liu Pengyu, a spokesperson for the Chinese embassy in Washington, stated in an official email that the Chinese government neither "encourage[s], support[s] or connive[s] at cyber attacks." He dismissed the claims from U.S. and Canadian parties as "irresponsible assertions" that lack factual evidence or any prior communication requests regarding the issue.
Malware Capabilities and Target Focus
Investigations detailed in the advisory reveal that the Brickstorm malware grants attackers formidable capabilities. Once deployed, it allows them to steal crucial login credentials and other sensitive data, ultimately providing them with the potential for full control over compromised systems. A particular case cited highlighted a company successfully penetrated in April 2024, with the attackers maintaining covert access for over a year, specifically through at least September 3, 2025. This prolonged presence underscores the strategic, long-game approach adopted by these adversaries.
The advisory, complemented by a detailed malware analysis report, is based on eight distinct Brickstorm samples recovered from organizations that were targeted. The malware has been observed specifically leveraging vulnerabilities in VMware vSphere, a widely utilized product sold by Broadcom's VMware for creating and managing virtual machines within network environments. A Broadcom spokesperson confirmed awareness of reports regarding Brickstorm's use after gaining access to customer environments, advising all customers to apply the latest software patches and adhere to robust operational security protocols.
A Pattern of Persistent Cyber Espionage
This latest incident is not an isolated occurrence but rather part of a broader, persistent pattern. U.S. government warnings have frequently highlighted Chinese-linked hacking efforts directed against global telecommunications companies and other sensitive targets in recent years. In October, a significant hack targeting the U.S. cybersecurity firm F5 was also attributed to these same Chinese-linked groups.
Further supporting this pattern, Google’s Threat Intelligence Group reported similar Brickstorm-linked intrusions in September across a diverse range of industries, including legal services, software service providers, business process outsourcers, and technology companies. Google's analysis at the time suggested that beyond traditional espionage, these operations likely serve a dual purpose: to uncover new, previously unknown vulnerabilities and to establish strategic "pivot points" for broader access to an even wider array of future victims. The ongoing nature of this threat underscores the critical need for enhanced cybersecurity vigilance and the implementation of robust defensive measures across both public and private sectors globally.
