A new threat campaign, codenamed BrickStorm and attributed to a China nexus group tracked as UNC5221, has security researchers sounding the alarm. This is a highly sophisticated espionage operation, and its most staggering feature is the adversary’s patience. The astonishing average time they remain inside a victim’s network before being detected is well over a year—393 days to be exact.

This signifies an evolution of tradecraft, moving from “living off the land” (LOTL) to “living off the blind spot.” This is a deliberate, meticulously planned intelligence operation in which the attacker aims to embed itself in the fabric of the organization— learning its systems and exfiltrating data slowly and carefully enough to become part of the background noise.

In the blog below, we’ll outline the targets and goals of the BrickStorm campaign, the tactics UNC5221 uses to gain access and remain hidden in its victim organizations, and finally, what organizations can do today to proactively defend against this next-level threat.

Exploiting the Blind Spot: The Attack Mechanics

BrickStorm is not a smash-and-grab ransomware attack. Its targets are highly specific: legal firms, software-as-a-service (SaaS) providers, and technology companies in the US and Europe. Its attacks are aimed at obtaining intellectual property, sensitive data, and national security/trade secrets.

The group achieves this incredible level of stealth by fundamentally understanding a blind spot in modern enterprise security: infrastructure that often cannot run traditional security tools. For example, they deliberately target:

• VPN appliances
• VMware vCenter servers
• ESXi hosts

By compromising the management plane of the entire network, they operate in the shadows, completely bypassing endpoint detection and response (EDR) solutions and endpoint controls that security teams rely on. They are literally living where defenders can’t see.

A Masterclass in Evasion

The group’s initial access point is often a zero-day vulnerability on an Internet-facing edge appliance (like an Avanti VPN gateway). From there, stealth and persistence is key, and they achieve it with:

• BrickStorm Malware: The custom malware is written in the Go coding language—also known as Golang—making it easy to compile for the various Linux and BSD-based operating systems these appliances run. They name the file to mimic a legitimate system process, and use obfuscation tools like Garble to make each sample unique, rendering signature-based detection useless.
• Delayed Activation: In one particularly insidious tactic, after a victim organization began its incident response process, BrickStorm was observed deploying an implant that was programmed to lie dormant, only starting to communicate months in the future. They literally wait out the defenders, planning to regain access long after the security team thinks the network is clean.

Credential Theft in the Shadows

Once the group has a persistent foothold, their method for lateral movement is the most innovative part of the campaign. It is credential-based, meaning they use legitimate accounts to avoid suspicion. To steal credentials without raising a single alarm, they use a cutting-edge technique that exploits the virtualized environment:

1. From a compromised vCenter, they clone a critical virtual machine (like a domain controller).
2. While the clone is offline, they mount its virtual disk and extract the entire Active Directory credential database (the NTDS file).
3. They bypass any and all security tools on the live domain controller that would normally flag access to that file.
4. After copying the database, they simply delete the clone, leaving almost no trace.

Strategic Implications: Steal Today, Weaponize Tomorrow

The endgame for UNC5221 elevates their activities from a simple espionage campaign to a systemic threat. While one objective is stealing intelligence for geopolitical and economic advantage, the second, more dangerous goal is to actively steal proprietary source code and internal vulnerability information from compromised technology and SaaS vendors.

They steal the blueprints to widely used software, take it back to their labs and reverse engineer it to find new, undiscovered zero day vulnerabilities. It’s a “steal today, weaponize tomorrow” model that creates a terrifying feedback loop. Each successful intrusion directly fuels the development of tools for the next one. 

This is the evolution of the supply chain attack. By hitting a SaaS vendor, they gain a potential pivot point into the networks of every single one of that provider’s downstream customers. The security of thousands of organizations is suddenly dependent on the security of their single most vulnerable vendor.

Fighting the Invisible Enemy: A Proactive Defense

Against an adversary using zero-days, living in your blind spots, and moving with stolen credentials, the old model of waiting for a security alert is fundamentally broken. In this new reality, the alert may never come. The only way to defend against a silent, patient attacker is to shift from a reactive to a proactive security posture—organizations have to assume they have already been compromised and continuously hunt for these behaviors.

That is where breach and attack simulation (BAS) and Continuous Automated Red Teaming (CART) become essential. BAS allows you to answer the question, “Could this happen to us?” before it actually does, and CART takes this further by testing the entire multi-stage attack path. 

Instead of hoping your defenses work, you can take the exact TTPs used by UNC5221 and safely simulate them on your critical production assets. With the SafeBreach Exposure Validation Platform, this even includes those assets in IT/OT environments.  

For example, with BrickStorm specifically, SafeBreach would give you an understanding of: 

• Whether you can detect the clever offline VM-cloning technique by correlating the right logs in vCenter 
• If your network security tools spot anomalous outbound traffic (e.g., DNS over HTTPs coming from a VPN appliance that should never be doing that
• Whether you can spot the in-memory credential theft from a vCenter server

Next-Level Threats Deserve Next-Level Defense

Against a next-level threat like BrickStorm, you need to move to a next-level proactive defense. You can’t defend against what you don’t test. Proving your defenses work is the only viable strategy. The SafeBreach Exposure Validation Platform shines a light on the blind spots BrickStorm is exploiting, giving you empirical data on where your security controls are effective, and more importantly, where they fail against this specific threat. So, you don’t have to wait 393 days to find out you have a gap. You find it today with a detailed report and exact instructions on how to fix it.

Are you confident that your security stack can detect an attacker that is “living off your blind spots?” Check out the SafeBreach Exposure Validation Platform solution brief, then schedule a personalized demo to see how it can help you begin building resilience against the BrickStorm campaign.