Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

BRICKSTORM dwell hits 393 days, Mandiant

3 min read
10:57UTC

Mandiant's M-Trends 2026 set the China-nexus benchmark at a 393-day average dwell inside VMware hypervisors. The telemetry built for malware does not see it.

TechnologyAssessed
Key takeaway

China-nexus attackers are averaging over a year of undetected access inside the virtualisation layer.

Mandiant, the Google-owned incident-response firm, published its annual M-Trends 2026 report this month based on more than 500,000 hours of incident response, disclosing a 393-day average undetected dwell time for UNC5221's BRICKSTORM campaign 1. UNC5221 is a China-nexus espionage cluster; BRICKSTORM is a Go-language backdoor that lives on VMware vCenter and ESXi hosts, the management plane and the hypervisor of most enterprise virtualisation estates. The primary targets are US and UK legal services, Business Process Outsourcers (BPOs, firms that run back-office operations on behalf of clients), Software-as-a-Service (SaaS) providers and technology companies.

The tradecraft bypasses classic endpoint telemetry entirely. A companion servlet filter called BRICKSTEAL captures the vCenter Hypertext Transfer Protocol (HTTP) Basic Authentication credentials used by administrators; domain-controller virtual machines are cloned at the hypervisor layer for offline credential extraction; and mailbox access is achieved through legitimate Microsoft Entra Identity (Entra ID) Enterprise Apps granted the `mail.read` or `full_access_as_app` permission scopes. Command-and-control traffic is relayed through Cloudflare Workers and Heroku, meaning blocklist-based network defences see benign cloud traffic rather than known-bad infrastructure.

The 393-day figure is a calibration point. Any enterprise whose detection-to-eviction time exceeds that number is performing below the observed China-nexus median attacker advantage. For London legal-sector incident-response leads in particular, the benchmark sits uncomfortably close to the reality of a firm that runs a six-month threat-hunt cycle and processes no hypervisor-level forensic data between cycles. EDR sensors, designed to catch malware running on laptops and servers, see nothing at the ESXi layer because they are not installed there.

Deep Analysis

In plain English

UNC5221 is a Chinese hacking group that broke into the infrastructure layer of organisations' computer systems: specifically, the software that runs virtual machines. Think of it as breaking into the machine room that controls all the offices in a building, rather than breaking into the offices themselves. The group spent an average of 393 days inside victims' systems before being detected. During that time, they copied credentials, cloned domain controller virtual machines for offline analysis, and accessed email accounts through permissions they had quietly granted themselves. Mandiant, the Google-owned threat intelligence firm, revealed this in their annual M-Trends 2026 report, which is based on over 500,000 hours of incident response work. The affected organisations were primarily US and UK law firms, business services companies, and technology providers.

Deep Analysis
Root Causes

VMware vCenter and ESXi are the hypervisor management plane for virtualised enterprise environments. Compromising them gives an attacker a god's-eye view of all virtual machines without touching any of them directly. Standard endpoint security agents run inside virtual machines; they cannot monitor the hypervisor layer that controls them.

The use of Cloudflare Workers and Heroku as command-and-control relays exploits a structural limitation of network monitoring: both platforms serve legitimate traffic for millions of organisations, making their domain names and IP ranges uncategorisable as malicious by conventional threat-intelligence feeds. Blocking them would break legitimate business applications.

What could happen next?
  • Risk

    Any enterprise whose detection and response time is shorter than 393 days but whose vCenter and ESXi logging retention is less than 393 days cannot determine retrospectively whether it was compromised by this campaign.

  • Consequence

    UK law firms and business process outsourcers handling confidential client data face regulatory obligations under both GDPR and professional privilege rules if BRICKSTORM intrusions are retrospectively discovered during incident reviews triggered by this advisory.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Google Cloud / Mandiant· 17 Apr 2026
Read original
Causes and effects
This Event
BRICKSTORM dwell hits 393 days, Mandiant
The China-nexus attacker median advantage is now more than a year of undetected access inside legal firms, BPOs and SaaS providers.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.