Hackers sponsored by China are targeting federal agencies, technology companies and critical infrastructure sector organizations with a new type of malware affecting Linux, VMWare kernel and Windows environments that may be difficult to detect and eradicate.

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security are strongly advising organizations take steps to scan systems for BRICKSTORM using detection signatures and rules; inventory all network edge devices; monitor edge devices for suspicious network connectivity and ensure proper network segmentation. The organizations released a malware analysis report to help organizations combat the threat.

“BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure. State sponsored actors are not just infiltrating networks, they are embedding themselves to enable long term access, disruption and potential sabotage. That’s why we’re urging every organization to treat this threat with the seriousness that it demands,” said Nick Andersen, CISA’s executive assistant director for cybersecurity, during a call with reporters today. “The advisory we issued today provides indicators of compromise (IOCs) and detection signatures to assist critical infrastructure owners and operators in determining whether they have been compromised. It also gives recommended mitigation actions to protect against what is truly pervasive PRC activity.”

CISA says BRICKSTORM features advanced functionality to conceal communications, move laterally and tunnel into victim networks and automatically reinstall or restart the malware if disrupted. Andersen said CISA became aware of the threat in mid-August and it’s part of a “persistent, long-term campaigns of nation state threat actors, in particular those that are sponsored by the People’s Republic of China, to hold at risk our nation’s critical infrastructure through cyber means.”

The malware has impacted at least eight organizations, including one where CISA provided incident response services to. Andersen wouldn’t say how many of those eight were federal agencies or which ones have been impacted.

“This is a terribly sophisticated piece of malware that’s being used, and that’s why we’re encouraging all organizations to take action to protect themselves, and if they do become victims of it or other malicious activity, to report it to CISA, so we can have a better understanding of the full picture of not just where this malware is being employed, but the more robust picture of the wider cyber threat landscape,” Andersen said.

New way to interact with industry

Since January, CISA has issued 20 joint cybersecurity advisories and threat intelligence guidance documents with U.S. allies, including the United Kingdom, Canada, Australia and New Zealand, as well as with our other international partners.

“Together, we’ve exposed nation-state sponsored intrusions, AI enabled ransomware operations and the ever evolving threats to critical infrastructure,” Andersen said.

Along with the warnings and analysis about BRICKSTORM, CISA also launched a new Industry Engagement Platform (IEP). CISA says it’s designed to let the agency and companies share information and develop innovative and security technologies.

“The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency,” CISA said in a release. “The IEP allows organizations – including industry, non-profits, academia, government partners … and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

CISA says while participation in the IEP does not provide preferential consideration for future federal contracts, it serves as a channel for the government to gain insight into new capabilities and market trends.

Current areas of interest include:

Information technology and security controls

Data, analytics, storage, and data management

Communications technologies

Any emerging technologies that advance CISA’s mission, including post-quantum cryptography and other next-generation capabilities

Andersen said while the IEP and related work is separate from the BRICKSTORM analysis, it’s all part of how CISA is trying to ensure all organizations protect themselves from the ever-changing cyber threat.

“The threat here is not theoretical, and BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure,” he said “We know that state sponsored actors are not just infiltrating networks. They’re embedding themselves to enable the long term access disruption and potential sabotage that enables their strategic objectives, and that’s why we continue to urge every organization to treat this threat with serious demands.”

