Skip to content
You can now search across every topic, entity and event.What's new
Mandiant
OrganisationUS

Mandiant

Google Cloud threat intelligence and IR firm; authors M-Trends; tracks state-sponsored APTs.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

How did Mandiant track an attack that hid for 393 days inside enterprise servers?

Timeline for Mandiant

#108 Jul
#818 Jun

Mentioned in: Splunk lands its first-ever KEV entry

Cybersecurity: Threats and Defences
#79 Jun
#411 May

Published attribution naming UNC6780 as the Cisco repository breach operator

Cybersecurity: Threats and Defences: UNC6780 takes Cisco AI Defense source code
#411 May

Confirmed @shadanai/openclaw and @qqbrowser/openclaw-qbot as additional WAVESHAPER.V2 distribution vectors

Cybersecurity: Threats and Defences: UNC1069 expands the npm WAVESHAPER supply chain
View full timeline →
Common Questions
Who is UNC1069 and what did they do to Axios?
UNC1069 is a North Korea-nexus threat actor tracked by Mandiant and Google GTIG. In March 2026 they phished an Axios npm package maintainer and introduced a malicious dependency (plain-crypto-js) into two Axios versions with a combined 180+ million weekly downloads, deploying the WAVESHAPER.V2 backdoor.Source: Google GTIG / Mandiant
What did Mandiant find in its 2026 security report?
Mandiant's M-Trends 2026 documented a 393-day average dwell time for UNC5221's BRICKSTORM campaign targeting US and UK legal services, BPOs and tech firms. It also flagged Recovery Denial tactics (ransomware attacks on backup infrastructure) as a growing trend.Source: Mandiant M-Trends 2026
How does Mandiant attribute cyberattacks to nation states?
Mandiant uses a combination of technical indicators (malware families, tooling, infrastructure reuse), incident-response telemetry from client engagements, and signals intelligence partnerships. Threat clusters are tracked under 'UNC' prefixes until attribution confidence is sufficient for a named APT designation.Source: Mandiant

Background

Mandiant is one of the most-cited threat intelligence and Incident Response firms globally, with a reputation built on attribution of advanced persistent threat groups and large-scale breach investigations. Its M-Trends annual report is the largest single synthesis of real-world incident-response data in the public domain, drawing on hundreds of thousands of IR engagement hours. Google acquired Mandiant in 2022 for $5.4 billion, integrating it into Google Cloud's Chronicle security platform. Mandiant continues to publish independent threat intelligence under its own brand within the Google Threat Intelligence Group (GTIG).

Mandiant's M-Trends 2026, based on over 500,000 Incident Response hours, documented the BRICKSTORM campaign by UNC5221: a 393-day average dwell time in UK and US legal services, BPOs and tech firms, achieved through ESXi and vCenter implants relayed via legitimate cloud platforms. Mandiant's original CitrixBleed 2023 investigation is also the authoritative technical account of the exploit PATH that CitrixBleed 3 reproduces.

In May 2026, Google Threat Intelligence Group and Mandiant jointly disclosed that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer to introduce malicious dependency plain-crypto-js into two widely-distributed Axios versions, each with 80–100 million weekly downloads. The backdoor, WAVESHAPER.V2, was cross-platform and live for under three hours before detection. The attribution reflects Mandiant's continuing strength in nation-state supply-chain tracking within the GTIG umbrella. For the wider security market, Mandiant's reporting sets the detection and response benchmark: the 393-day BRICKSTORM dwell metric is now the reference figure for any enterprise lacking ESXi telemetry coverage.

More questions
Does Google own Mandiant?
Yes. Google acquired Mandiant in 2022 for $5.4 billion and integrated it into Google Cloud as part of the Google Threat Intelligence Group (GTIG). Mandiant continues to publish independent threat intelligence reports including the annual M-Trends series.