Washington/Ottawa | U.S. and Canadian cybersecurity authorities have issued a joint warning that Chinese-linked threat actors deployed a sophisticated backdoor malware—codenamed “Brickstorm”—to infiltrate and maintain persistent access within multiple government and information-technology networks. Officials cautioned that the operation poses a serious threat to critical infrastructure and could enable long-term disruption or sabotage.
The advisory—released by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Canadian Centre for Cyber Security—details how state-sponsored actors embedded themselves inside sensitive networks across North America and beyond.
“Embedding for Long-Term Access, Disruption and Sabotage” — U.S. Agencies
CISA Acting Director Madhu Gottumukkala said the China-linked groups are “deeply compromising sensitive networks and positioning themselves for extended access,” creating the potential to disrupt essential services or execute targeted sabotage.
According to the advisory, Brickstorm enables attackers to:
- Steal login credentials
- Exfiltrate sensitive data
- Gain administrative-level control over compromised systems
Cyber analysts warn the malware can remain hidden for months or even years, allowing covert surveillance and carefully staged disruption.
China Denies Involvement: “No Evidence Presented”
Responding to the advisory, the Chinese embassy in Washington rejected the allegations. Spokesperson Liu Pengyustated that China “does not encourage, support or tolerate cyberattacks,” describing the claims as “irresponsible” and “unsupported by facts.”
Liu added that neither U.S. nor Canadian authorities had submitted formal complaints or provided concrete evidence linking China to the activities described.
Hackers Remained Active From 2024 to Late 2025
The advisory reveals that at least one intrusion began in April 2024 and persisted undetected until September 2025, underscoring the attackers’ long-term presence.
CISA Executive Assistant Director for Cybersecurity Nick Andersen said agencies would not disclose how many organizations were affected or what actions attackers took once inside networks, citing security sensitivities.
Investigators identified eight distinct Brickstorm variants from separate victims, indicating a wide operational footprint.
VMware vSphere Servers Targeted
Technical findings show that attackers exploited VMware vSphere, a core platform used to manage virtual machines and data-centre environments.
Broadcom, VMware’s parent company, confirmed awareness of Brickstorm-related incidents. A spokesperson noted that the malware was deployed after attackers gained unauthorized access and urged customers to:
- Apply the latest patches
- Enable strong authentication
- Follow enhanced security best practices
Google Confirms Intrusions Across Multiple Industries
Google’s Threat Analysis Group (TAG) previously linked Brickstorm to intrusions affecting:
- Law firms
- Software developers
- Technology service providers
- Business-process outsourcing companies
TAG analysts said the attackers went beyond espionage, using access to identify new vulnerabilities and establish pivot points to expand into additional networks.
Beyond Espionage: Strategic Sabotage Risk
U.S. officials stress that Brickstorm represents more than intelligence collection. Its stealth, persistence and depth of access raise the risk of coordinated operational disruption against high-value targets.
Organizations were urged to strengthen defenses by:
- Rapidly deploying security patches
- Enforcing multi-factor authentication
- Continuous network monitoring
- Advanced log analysis and anomaly detection
- Reviewing remote-access policies
Experts say the Brickstorm campaign highlights the geopolitical stakes of cybersecurity and exposes strategic vulnerabilities woven into global technology infrastructure.
