Advanced Malware Attack Linked to China Compromises Government and Tech Entities
A sophisticated cyber attack, reportedly originating from China, has successfully infiltrated several government and tech organizations, leveraging advanced malware to gain unauthorized access. According to a report by Reuters, cybersecurity agencies in the US and Canada have confirmed the attack, which utilized a backdoor known as “Brickstorm” to target entities using the VMware vSphere cloud computing platform. This platform is widely used for virtualization and cloud infrastructure management, making it a prime target for malicious actors seeking to exploit vulnerabilities.
Technical Details of the Attack
The Canadian Centre for Cyber Security published a detailed report on December 4, outlining the tactics, techniques, and procedures (TTPs) employed by the attackers. The report reveals that PRC state-sponsored hackers maintained “long-term persistent access” to an unnamed victim’s internal network, allowing them to steal credentials, manipulate sensitive files, and create “rogue, hidden VMs” (virtual machines). This level of access enabled the attackers to operate undetected, potentially exfiltrating sensitive data and disrupting critical operations. The attack is believed to have begun as early as April 2024 and persisted until at least September of this year.
Collaborative Efforts to Mitigate the Threat
The malware analysis report, a collaborative effort between the Canadian Cyber Centre, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), highlights the importance of international cooperation in combating cyber threats. The report cites eight different Brickstorm malware samples, demonstrating the complexity and variability of the attack. While the exact number of organizations targeted or compromised remains unclear, the report serves as a critical warning for entities using the VMware vSphere platform to prioritize security updates and vigilance.
Response and Recommendations
In response to the alleged hack, a spokesperson for Broadcom, the owner of VMware vSphere, encouraged customers to download the latest security patches to protect against the Brickstorm malware. This advice is echoed by the Google Threat Intelligence Group, which published a report on Brickstorm in September, urging organizations to “reevaluate their threat model for appliances and conduct hunt exercises” against specified threat actors. By taking proactive measures and staying informed about emerging threats, organizations can significantly reduce their risk of falling victim to sophisticated cyber attacks like Brickstorm.
