What did Mandiant find in its 2026 security report?: Mandiant's M-Trends 2026 documented a 393-day average dwell time for UNC5221's BRICKSTORM campaign targeting US and UK legal services, BPOs and tech firms. It also flagged Recovery Denial tactics (ransomware attacks on backup infrastructure) as a growing trend.Source: Mandiant M-Trends 2026
Does Google own Mandiant?: Yes. Google acquired Mandiant in 2022 for $5.4 billion and integrated it into Google Cloud as part of the Google Threat Intelligence Group (GTIG). Mandiant continues to publish independent threat intelligence reports including the annual M-Trends series.
What did Mandiant find in its M-Trends 2026 report?: Mandiant's M-Trends 2026 documented a 393-day average dwell time for UNC5221's BRICKSTORM campaign targeting US and UK legal services, BPOs and tech firms via ESXi and vCenter implants. It also flagged Recovery Denial ransomware tactics targeting backup infrastructure.Source: Mandiant M-Trends 2026
Who is UNC1069 and what did they do to Axios?: UNC1069 is a North Korea-nexus threat actor tracked by Mandiant and Google GTIG. In March 2026 they phished an Axios npm package maintainer and introduced a malicious dependency (plain-crypto-js) into two Axios versions with a combined 180+ million weekly downloads, deploying the WAVESHAPER.V2 backdoor.Source: Google GTIG / Mandiant
How does Mandiant attribute cyberattacks to nation states?: Mandiant uses a combination of technical indicators (malware families, tooling, infrastructure reuse), incident-response telemetry from client engagements, and signals intelligence partnerships. Threat clusters are tracked under 'UNC' prefixes until attribution confidence is sufficient for a named APT designation.Source: Mandiant

Background

Mandiant is one of the most-cited threat intelligence and Incident Response firms globally, with a reputation built on attribution of advanced persistent threat groups and large-scale breach investigations. Its M-Trends annual report is the largest single synthesis of real-world incident-response data in the public domain, drawing on hundreds of thousands of IR engagement hours. Google acquired Mandiant in 2022 for $5.4 billion, integrating it into Google Cloud's Chronicle security platform. Mandiant continues to publish independent threat intelligence under its own brand within the Google Threat Intelligence Group (GTIG).

Mandiant's M-Trends 2026, based on over 500,000 Incident Response hours, documented the BRICKSTORM campaign by UNC5221: a 393-day average dwell time in UK and US legal services, BPOs and tech firms, achieved through ESXi and vCenter implants relayed via legitimate cloud platforms. Mandiant's original CitrixBleed 2023 investigation is also the authoritative technical account of the exploit PATH that CitrixBleed 3 reproduces.

In May 2026, Google Threat Intelligence Group and Mandiant jointly disclosed that North Korea-nexus actor UNC1069 phished an Axios npm package maintainer to introduce malicious dependency plain-crypto-js into two widely-distributed Axios versions, each with 80–100 million weekly downloads. The backdoor, WAVESHAPER.V2, was cross-platform and live for under three hours before detection. The attribution reflects Mandiant's continuing strength in nation-state supply-chain tracking within the GTIG umbrella. For the wider security market, Mandiant's reporting sets the detection and response benchmark: the 393-day BRICKSTORM dwell metric is now the reference figure for any enterprise lacking ESXi telemetry coverage.

How the World Sees Them

CISA / NCSC

Mandiant's M-Trends is cited by both agencies in advisories; the BRICKSTORM dwell figure is the evidence base for CNI logging-retention and IR-capability standards.

Enterprise security buyers

Mandiant's Google integration means M-Trends findings now feed into Chronicle SIEM detection rules; organisations using Chronicle get M-Trends intelligence built into their detection stack.

Threat intelligence community

Mandiant's UNC5221 attribution gives the wider community a named group, TTPs and infrastructure indicators for the BRICKSTORM campaign.