惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-04-10 · via Vectra AI Blog

UNC5221’s BRICKSTORM backdoor is more than just another piece of malware. It proves that advanced adversaries are winning by hiding in the places SOC teams cannot see. Mandiant found that attackers using BRICKSTORM lived inside U.S. enterprises for more than 400 days on average before detection. They achieved this by exploiting the blind spots in network appliances, virtualization platforms, and identity systems. This campaign was not about smash and grab attacks. It was about patience, stealth, and persistence inside infrastructure that most security tools ignore.

Appliances in the Dark: Where BRICKSTORM Hid

BRICKSTORM succeeded because it lived in places most security teams rarely watch. The backdoor was designed to run on edge appliances like VPN gateways, firewalls, and VMware vCenter servers. These systems are critical to business continuity, but they often lack endpoint agents and generate minimal logs. That security gap created the perfect hiding place.

Once installed, BRICKSTORM blended into normal processes and even persisted across reboots by modifying startup scripts. From the attacker’s perspective, this is the ideal foothold. From the defender’s perspective, it is almost invisible. SOC teams monitoring endpoints and cloud workloads had no signal that adversaries were operating inside the infrastructure connecting those systems together.

These blind spots gave attackers the room they needed to remain hidden. But stealth was not just about where they lived, it was also about how they operated.

BRICKSTORM targeting. Source Google Cloud

Stealth that Lasted Over a Year

UNC5221’s operators built BRICKSTORM to avoid every traditional detection method. Each implant was compiled uniquely for its victim, often stripped of identifiers and obfuscated to look like a legitimate process. Some versions even included a delayed start feature, lying dormant for months before activating. By the time the malware beaconed out, incident responders had long since moved on.

This tradecraft explains the staggering dwell time of around 400 days. Indicators of compromise were practically useless. There were no reused domains, no repeat file hashes, and no signatures to rely on. Instead, the attackers lived off the land, using valid credentials and standard admin tools to move laterally and steal data. Their presence blended so cleanly into routine activity that even seasoned SOC teams missed the signs.

The reality is that this level of stealth cannot be caught with a static approach. To shorten dwell time, detection has to shift from chasing indicators to monitoring behavior. Only by spotting subtle anomalies in how infrastructure, users, and services operate can defenders close the advantage that BRICKSTORM enjoyed.

When Appliances Become a Gateway to Identity

For UNC5221, BRICKSTORM was never the end goal. The compromised appliances served as a springboard into the systems that matter most: identity infrastructure.

Once inside, the attackers cloned entire domain controllers to quietly extract Active Directory databases. They deployed custom servlet filters inside VMware vCenter to siphon off admin credentials. In cloud environments, they registered rogue applications in Microsoft 365 to read mailboxes as if they were legitimate services. Each of these moves gave the attackers privileged access without raising alarms.

From a defender’s perspective, it looked like normal administrators logging in, cloning machines, or granting cloud apps permissions. In reality, it was a slow dismantling of trust at the core of the enterprise.

This pivot to identity is the most damaging part of the campaign. Once adversaries control domain controllers or SaaS authentication, they can access virtually any resource. BRICKSTORM revealed how attackers now combine appliance footholds with credential theft to gain dominance across hybrid environments.

Protecting endpoints alone is no longer enough when identity is the ultimate prize.

Supply Chain Impact Beyond the Primary Target

UNC5221 does not stop with individual enterprises. Many of the organizations compromised by BRICKSTORM were service providers — SaaS platforms, outsourcing firms, and legal services that hold data or provide access for dozens of downstream clients. By embedding in these providers, the attackers positioned themselves to reach far beyond a single network.

This strategy magnifies the impact of every compromise. A foothold in a SaaS company could expose sensitive data from government agencies. Breaching an outsourcing partner could open pathways into multiple industries at once. For the attacker, it is an efficient way to expand reach. For defenders, it is a reminder that your security posture is only as strong as the partners and vendors you rely on.

The BRICKSTORM campaign highlights how supply chain compromise is evolving. It is not always about injecting malicious code into software updates. Sometimes it is about targeting the connective tissue of business services and exploiting trust relationships to move silently into new environments.

Facing a Next-Level Adversary

Mandiant described UNC5221 as a “very, very advanced adversary,” and BRICKSTORM proved it. These operators didn’t rely on malware families reused across campaigns. They built custom implants, deployed unique infrastructure for each victim, and dismantled evidence before responders could collect it. Every move showed patience and discipline.

Traditional defenses are not built for this kind of opponent:

Against an actor that invests this much in stealth, the only realistic response is to change the detection model.

That shift means focusing on behavior rather than indicators. It means correlating activity across network, identity, and cloud environments to expose the subtle patterns that no single tool can see in isolation. Anything less leaves gaps that a determined adversary will exploit for months or even years.

Closing the Gaps with Vectra AI

The BRICKSTORM campaign was engineered to disappear into the noise. It beaconed through encrypted cloud front ends, tunneled DNS inside HTTPS, pivoted with valid credentials, and quietly staged data for months. These are exactly the kinds of behaviors the Vectra AI Platform is built to surface.

Here is how Vectra AI closes the gaps attackers exploit:

External communications and exfiltration

  • Encrypted and fronted C2 traffic: Advanced C2 analytics detect domain fronting, intermittent beaconing, unusual SaaS or cloud usage, and encrypted C2 sessions. Models analyze anomalies in HTTP headers, user agents, destination rarity, and beaconing regularity to expose stealthy worker-hosted C2 such as BRICKSTORM’s use of HTTPS and WSS over cloud services.
  • DNS-over-HTTPS resolution: Vectra’s Hidden HTTPS Tunnel detection and machine learning models catch DoH patterns hidden in encrypted traffic. This directly addresses BRICKSTORM’s use of DoH for covert C2 resolution.
  • DNS and protocol tunneling for exfiltration: If attackers fall back to DNS tunneling or data exfiltration over C2, Vectra’s Hidden DNS Tunnel and ATT&CK-mapped detections immediately highlight the abnormal patterns.

Internal movement and collection

  • Lateral movement and reconnaissance: When BRICKSTORM relays RDP or SMB traffic and pivots with valid credentials, detections such as SMB Account Scan and Kerberos Account Scan alert on credential misuse and suspicious internal probing.
  • Staging and collection: Bulk access to repositories, code bases, or file shares triggers Data Gathering detections. This shines a light on attackers preparing material for exfiltration before data loss occurs.

Defense in depth

  • Complementary IOC coverage: For additional defense in depth, Vectra sensors can run Suricata-based rules (SPA), including community signatures such as NVISO’s BRICKSTORM C2 rule, to supplement behavior-driven analytics.

With this multi-layered approach, SOC teams do not have to chase unique hashes or domains. Instead, they can see the behaviors that advanced adversaries cannot hide. Vectra AI correlates detections across network, identity, SaaS, and cloud, turning invisible footholds into visible threats and collapsing dwell time from months to moments.

Conclusion: Learn from BRICKSTORM

BRICKSTORM is not just another backdoor. It is a reminder that the most advanced adversaries thrive in the places traditional tools do not cover. UNC5221 survived for more than a year inside enterprise networks because it operated in blind spots, abused identity, and moved data through channels that looked legitimate.

Defenders cannot rely on indicators or static signatures when attackers change infrastructure with every victim. What matters is the ability to detect behaviors that remain consistent across campaigns, no matter how much the malware itself changes. That is exactly what the Vectra AI Platform delivers.

By closing detection gaps across network, identity, SaaS, and cloud, Vectra AI allows SOC teams to see what others miss and stop stealthy operations before they become another year-long compromise.

See how Vectra AI eliminates detection gaps. Take the self-guided demo today.