7JUN

BRICKSTORM dwell hits 393 days, Mandiant

3 min read

10:08UTC

Mandiant's M-Trends 2026 set the China-nexus benchmark at a 393-day average dwell inside VMware hypervisors. The telemetry built for malware does not see it.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

China-nexus attackers are averaging over a year of undetected access inside the virtualisation layer.

Mandiant, the Google-owned incident-response firm, published its annual M-Trends 2026 report this month based on more than 500,000 hours of incident response, disclosing a 393-day average undetected dwell time for UNC5221's BRICKSTORM campaign ¹. UNC5221 is a China-nexus espionage cluster; BRICKSTORM is a Go-language backdoor that lives on VMware vCenter and ESXi hosts, the management plane and the hypervisor of most enterprise virtualisation estates. The primary targets are US and UK legal services, Business Process Outsourcers (BPOs, firms that run back-office operations on behalf of clients), Software-as-a-Service (SaaS) providers and technology companies.

The tradecraft bypasses classic endpoint telemetry entirely. A companion servlet filter called BRICKSTEAL captures the vCenter Hypertext Transfer Protocol (HTTP) Basic Authentication credentials used by administrators; domain-controller virtual machines are cloned at the hypervisor layer for offline credential extraction; and mailbox access is achieved through legitimate Microsoft Entra Identity (Entra ID) Enterprise Apps granted the `mail.read` or `full_access_as_app` permission scopes. Command-and-control traffic is relayed through Cloudflare Workers and Heroku, meaning blocklist-based network defences see benign cloud traffic rather than known-bad infrastructure.

The 393-day figure is a calibration point. Any enterprise whose detection-to-eviction time exceeds that number is performing below the observed China-nexus median attacker advantage. For London legal-sector incident-response leads in particular, the benchmark sits uncomfortably close to the reality of a firm that runs a six-month threat-hunt cycle and processes no hypervisor-level forensic data between cycles. EDR sensors, designed to catch malware running on laptops and servers, see nothing at the ESXi layer because they are not installed there.

Deep Analysis

In plain English

UNC5221 is a Chinese hacking group that broke into the infrastructure layer of organisations' computer systems: specifically, the software that runs virtual machines. Think of it as breaking into the machine room that controls all the offices in a building, rather than breaking into the offices themselves. The group spent an average of 393 days inside victims' systems before being detected. During that time, they copied credentials, cloned domain controller virtual machines for offline analysis, and accessed email accounts through permissions they had quietly granted themselves. Mandiant, the Google-owned threat intelligence firm, revealed this in their annual M-Trends 2026 report, which is based on over 500,000 hours of incident response work. The affected organisations were primarily US and UK law firms, business services companies, and technology providers.

Deep Analysis

Root Causes

VMware vCenter and ESXi are the hypervisor management plane for virtualised enterprise environments. Compromising them gives an attacker a god's-eye view of all virtual machines without touching any of them directly. Standard endpoint security agents run inside virtual machines; they cannot monitor the hypervisor layer that controls them.

The use of Cloudflare Workers and Heroku as command-and-control relays exploits a structural limitation of network monitoring: both platforms serve legitimate traffic for millions of organisations, making their domain names and IP ranges uncategorisable as malicious by conventional threat-intelligence feeds. Blocking them would break legitimate business applications.

What could happen next?

Risk
Any enterprise whose detection and response time is shorter than 393 days but whose vCenter and ESXi logging retention is less than 393 days cannot determine retrospectively whether it was compromised by this campaign.
Consequence
UK law firms and business process outsourcers handling confidential client data face regulatory obligations under both GDPR and professional privilege rules if BRICKSTORM intrusions are retrospectively discovered during incident reviews triggered by this advisory.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2019-2020 Hafnium campaign against Microsoft Exchange servers, which used web shells and Living-off-the-Land techniques to establish long-term persistence in legal, defence, and research targets in the UK and US. Like BRICKSTORM, Hafnium avoided endpoint malware in favour of server-side implants that blended with legitimate admin activity. The structural parallel is persistence on the authentication infrastructure itself, rather than on user endpoints.

Counter-parallel: The 2020 SolarWinds SUNBURST compromise averaged roughly six months of dwell before Mandiant's own systems flagged the anomaly. The 393-day BRICKSTORM figure is substantially longer, suggesting UNC5221 learned from the tradecraft improvements that allowed SUNBURST detection and specifically chose infrastructure-layer implants where endpoint telemetry has no visibility.

Consensus view: Mandiant's M-Trends 2026 characterises the BRICKSTORM/BRICKSTEAL combination as the most sophisticated China-nexus persistence technique observed in enterprise environments, specifically because command-and-control through Cloudflare Workers and Heroku produces traffic that is structurally indistinguishable from legitimate SaaS API calls, defeating blocklist and anomaly-based network monitoring.

Counter-view: IISS analysts note that the 393-day average dwell figure reflects intrusions that were eventually detected; the population of intrusions that have not yet been detected would produce a higher number, meaning 393 days is a lower bound on the median China-nexus dwell advantage, not its true value.

Key tension: Whether hypervisor-layer detection (VMware vCenter logging, ESXi introspection) is achievable at the speed needed to catch a campaign whose indicators are confined to legitimate cloud traffic patterns, or whether the detection gap is structurally unsolvable without fundamental changes to hypervisor security architecture.

Sources:Google Cloud / Mandiant·CISA

Mentions:Mandiant →UNC5221 →BRICKSTORM →VMware vCenter →Cloudflare Workers →Heroku →Microsoft Entra Identity →Google →China →Prima →M-Trends 2026 →Microsoft →IISS →ESXi →SolarWinds →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Google Cloud / Mandiant· 17 Apr 2026

Read original →

Causes and effects

Caused by

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

CL-STA-1132 is the third state-nexus cluster in two updates using the same perimeter-device doctrine as UNC5221 BRICKSTORM on VMware.

Occurred 16 Apr 2026

Read story →

This Event

BRICKSTORM dwell hits 393 days, Mandiant

The China-nexus attacker median advantage is now more than a year of undetected access inside legal firms, BPOs and SaaS providers.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.