China is using advanced ‘Brickstorm’ malware against government and IT orgs, US assesses

traffic_analyzer/Getty Images

Featured eBooks
Future-Ready Workforce
Read Now

Health Tech

Read Now

AI Applications

Read Now
Insights & Reports
The Federal Threat: 98% of npm & PyPI Malware Neutralized With a Source-First Approach
Presented By Chainguard
Download Now
AI for Government Legal Teams: What’s Possible
Presented By Filevine
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The malware was detected in the recently disclosed breach of F5, an application delivery and security provider.

The NSA and the Cybersecurity and Infrastructure Security Agency have assessed that China is using an advanced malware family to access government agencies and technology companies, according to extensive findings made public Thursday.

The malware analysis, coauthored with Canadian cyber authorities, reflects September threat intelligence produced by Google and underscores the extent of the efforts the hackers have gone to quietly plant themselves into victims’ systems for long-term snooping and potential sabotage.

The malware, dubbed Brickstorm, was used in a Chinese breach into F5 systems that was disclosed in October. Those hackers had reportedly been inside the company’s systems since 2023. That particular hack was deemed perilous for the company and its clients, as F5 supports hundreds of thousands of application delivery and internet traffic management systems for hundreds of private companies and government agencies worldwide. 

The long dwell time inside F5 aligns with Thursday's findings from the government, which examined eight Brickstorm samples and say that the cyberspies lurked inside another victim’s systems from April 2024 to September 2025. That victim was not named.

The Brickstorm program is a sophisticated backdoor that can let hackers crawl into cloud environments hosted by VMware, a major provider of virtual machine services. VMware’s vSphere tool — a suite of software that creates and manages virtual data centers — is a prime target for the Chinese hackers, CISA said.

“This advisory underscores the grave threats posed by the People’s Republic of China that create ongoing cybersecurity exposures and costs to the United States, our allies and the critical infrastructure we all depend on,” CISA acting Director Madhu Gottumukkala said in a statement.

Nick Andersen, CISA’s executive assistant director in the Cybersecurity Division, declined to comment on a call with reporters about specific incident response plans being taken by affected U.S. government agencies. CISA officials “strongly encourage organizations to take actions to assess their environments, identify any signs of compromise and apply the recommended mitigations from the advisory to strengthen their defenses,” he said.

China used Brickstorm to conduct reconnaissance on an Asia-Pacific government organization, CrowdStrike said in a report Thursday. Andersen declined to comment on that and the international scale of the intrusions, though he’s hopeful more information will filter through as countries continue to make their own assessments.

China has a storied history of cyber operations targeting U.S. infrastructure, especially government agencies. Its elite hacking collectives, made up of government-employed operatives and private sector supporters, have targeted swaths of telecom systems and other critical infrastructure.

U.S. intelligence has assessed that at least one of those groups, known as Volt Typhoon, has quietly embedded itself in key systems as part of a contingency plan to disrupt infrastructure and sow nationwide panic if a major conflict breaks out, including war over China’s claims to Taiwan.

NEXT STORY: CISA tells staff to not speak with reporters, internal email shows