Cybersecurity researchers have identified a sophisticated backdoor malware, dubbed BRICKSTORM, being utilized by Chinese state-sponsored hackers to infiltrate both Windows and Linux systems. This development marks a significant escalation in cyber espionage activities, particularly targeting European industries of strategic importance.
Evolution of BRICKSTORM
Initially, BRICKSTORM was observed targeting Linux vCenter servers. However, recent analyses reveal that the malware has been adapted to compromise Windows environments as well. This expansion indicates a notable enhancement in the threat actor’s capabilities and reach. The group behind these attacks, identified as UNC5221, has been linked to cyber espionage campaigns active since at least 2022.
Stealth and Persistence
Unlike typical cyber intrusions driven by financial motives, these attacks are characterized by their exceptional discretion. The perpetrators employ low-noise backdoors and exploit previously unknown vulnerabilities, allowing them to remain undetected for extended periods. This strategic approach aligns with China’s broader political strategy, which views economic strengthening as a matter of national security.
Technical Capabilities
BRICKSTORM provides attackers with robust file management and network tunneling capabilities. Through these backdoors, adversaries can:
– Browse file systems
– Create or delete arbitrary files and folders
– Tunnel network connections to facilitate lateral movement within the network
The Windows variants of BRICKSTORM are written in Go 1.13.5 and utilize persistence mechanisms such as scheduled tasks for execution. Notably, these variants lack direct command execution capabilities—a deliberate design choice likely intended to evade detection by security solutions that monitor parent-child process relationships.
Command and Control Infrastructure
BRICKSTORM’s command and control (C2) architecture is particularly sophisticated, employing multiple layers to evade detection:
1. DNS over HTTPS (DoH): The malware resolves its C2 servers through DoH, concealing DNS lookups from standard monitoring systems. It leverages multiple public DoH providers, including Quad9, NextDNS, Cloudflare, and Google.
2. Multi-Layered TLS Encryption: BRICKSTORM establishes a three-tiered TLS encryption scheme:
– Initial connection to serverless providers like Cloudflare Workers or Heroku over HTTPS.
– Upgrade to WebSockets, establishing a nested TLS connection within the first.
– A third layer of TLS encryption is initiated when operators issue commands.
This intricate setup makes it challenging to distinguish malicious traffic from legitimate network activity.
Infrastructure and Activity
The malware’s first-tier infrastructure is hosted on legitimate cloud services, complicating detection efforts. Monitoring has revealed that the second-tier infrastructure is hosted on Vultr instances, inadvertently exposed during a maintenance window. BRICKSTORM’s infrastructure has been active since at least November 2022, with consistent authentication keys, indicating a well-maintained and persistent operation.
Implications and Recommendations
The deployment of BRICKSTORM underscores the evolving threat landscape posed by state-sponsored cyber actors. Organizations, especially those in strategic sectors, must enhance their cybersecurity measures to detect and mitigate such sophisticated threats. Recommendations include:
– Enhanced Monitoring: Implement comprehensive logging and monitoring to detect unusual activities, such as unauthorized downloads of bootloader and firmware images or unexpected device reboots.
– Network Segmentation: Segregate critical systems and networks to limit lateral movement by attackers.
– Regular Updates: Ensure all systems and devices are updated with the latest security patches to mitigate vulnerabilities.
– Access Controls: Restrict administrative access to essential personnel and implement multi-factor authentication to prevent unauthorized access.
By adopting these measures, organizations can bolster their defenses against advanced persistent threats like BRICKSTORM and safeguard their critical assets.
