惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
Blog — PlanetScale
Blog — PlanetScale
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
爱范儿
爱范儿
量子位
博客园 - 聂微东
Engineering at Meta
Engineering at Meta
WordPress大学
WordPress大学
GbyAI
GbyAI
MyScale Blog
MyScale Blog
IT之家
IT之家
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
The Cloudflare Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Hugging Face - Blog
Hugging Face - Blog
The Register - Security
The Register - Security
Microsoft Security Blog
Microsoft Security Blog
博客园_首页
MongoDB | Blog
MongoDB | Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
Y
Y Combinator Blog
雷峰网
雷峰网
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
Last Week in AI
Last Week in AI
博客园 - 叶小钗
D
DataBreaches.Net
B
Blog
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
aimingoo的专栏
aimingoo的专栏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
Recent Announcements
Recent Announcements
阮一峰的网络日志
阮一峰的网络日志
小众软件
小众软件
腾讯CDC
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler
D
Docker
Cisco Talos Blog
Cisco Talos Blog
T
Tenable Blog
Webroot Blog
Webroot Blog
宝玉的分享
宝玉的分享

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-04-10 · via Vectra AI Blog

UNC5221’s BRICKSTORM backdoor is more than just another piece of malware. It proves that advanced adversaries are winning by hiding in the places SOC teams cannot see. Mandiant found that attackers using BRICKSTORM lived inside U.S. enterprises for more than 400 days on average before detection. They achieved this by exploiting the blind spots in network appliances, virtualization platforms, and identity systems. This campaign was not about smash and grab attacks. It was about patience, stealth, and persistence inside infrastructure that most security tools ignore.

Appliances in the Dark: Where BRICKSTORM Hid

BRICKSTORM succeeded because it lived in places most security teams rarely watch. The backdoor was designed to run on edge appliances like VPN gateways, firewalls, and VMware vCenter servers. These systems are critical to business continuity, but they often lack endpoint agents and generate minimal logs. That security gap created the perfect hiding place.

Once installed, BRICKSTORM blended into normal processes and even persisted across reboots by modifying startup scripts. From the attacker’s perspective, this is the ideal foothold. From the defender’s perspective, it is almost invisible. SOC teams monitoring endpoints and cloud workloads had no signal that adversaries were operating inside the infrastructure connecting those systems together.

These blind spots gave attackers the room they needed to remain hidden. But stealth was not just about where they lived, it was also about how they operated.

BRICKSTORM targeting. Source Google Cloud

Stealth that Lasted Over a Year

UNC5221’s operators built BRICKSTORM to avoid every traditional detection method. Each implant was compiled uniquely for its victim, often stripped of identifiers and obfuscated to look like a legitimate process. Some versions even included a delayed start feature, lying dormant for months before activating. By the time the malware beaconed out, incident responders had long since moved on.

This tradecraft explains the staggering dwell time of around 400 days. Indicators of compromise were practically useless. There were no reused domains, no repeat file hashes, and no signatures to rely on. Instead, the attackers lived off the land, using valid credentials and standard admin tools to move laterally and steal data. Their presence blended so cleanly into routine activity that even seasoned SOC teams missed the signs.

The reality is that this level of stealth cannot be caught with a static approach. To shorten dwell time, detection has to shift from chasing indicators to monitoring behavior. Only by spotting subtle anomalies in how infrastructure, users, and services operate can defenders close the advantage that BRICKSTORM enjoyed.

When Appliances Become a Gateway to Identity

For UNC5221, BRICKSTORM was never the end goal. The compromised appliances served as a springboard into the systems that matter most: identity infrastructure.

Once inside, the attackers cloned entire domain controllers to quietly extract Active Directory databases. They deployed custom servlet filters inside VMware vCenter to siphon off admin credentials. In cloud environments, they registered rogue applications in Microsoft 365 to read mailboxes as if they were legitimate services. Each of these moves gave the attackers privileged access without raising alarms.

From a defender’s perspective, it looked like normal administrators logging in, cloning machines, or granting cloud apps permissions. In reality, it was a slow dismantling of trust at the core of the enterprise.

This pivot to identity is the most damaging part of the campaign. Once adversaries control domain controllers or SaaS authentication, they can access virtually any resource. BRICKSTORM revealed how attackers now combine appliance footholds with credential theft to gain dominance across hybrid environments.

Protecting endpoints alone is no longer enough when identity is the ultimate prize.

Supply Chain Impact Beyond the Primary Target

UNC5221 does not stop with individual enterprises. Many of the organizations compromised by BRICKSTORM were service providers — SaaS platforms, outsourcing firms, and legal services that hold data or provide access for dozens of downstream clients. By embedding in these providers, the attackers positioned themselves to reach far beyond a single network.

This strategy magnifies the impact of every compromise. A foothold in a SaaS company could expose sensitive data from government agencies. Breaching an outsourcing partner could open pathways into multiple industries at once. For the attacker, it is an efficient way to expand reach. For defenders, it is a reminder that your security posture is only as strong as the partners and vendors you rely on.

The BRICKSTORM campaign highlights how supply chain compromise is evolving. It is not always about injecting malicious code into software updates. Sometimes it is about targeting the connective tissue of business services and exploiting trust relationships to move silently into new environments.

Facing a Next-Level Adversary

Mandiant described UNC5221 as a “very, very advanced adversary,” and BRICKSTORM proved it. These operators didn’t rely on malware families reused across campaigns. They built custom implants, deployed unique infrastructure for each victim, and dismantled evidence before responders could collect it. Every move showed patience and discipline.

Traditional defenses are not built for this kind of opponent:

Against an actor that invests this much in stealth, the only realistic response is to change the detection model.

That shift means focusing on behavior rather than indicators. It means correlating activity across network, identity, and cloud environments to expose the subtle patterns that no single tool can see in isolation. Anything less leaves gaps that a determined adversary will exploit for months or even years.

Closing the Gaps with Vectra AI

The BRICKSTORM campaign was engineered to disappear into the noise. It beaconed through encrypted cloud front ends, tunneled DNS inside HTTPS, pivoted with valid credentials, and quietly staged data for months. These are exactly the kinds of behaviors the Vectra AI Platform is built to surface.

Here is how Vectra AI closes the gaps attackers exploit:

External communications and exfiltration

  • Encrypted and fronted C2 traffic: Advanced C2 analytics detect domain fronting, intermittent beaconing, unusual SaaS or cloud usage, and encrypted C2 sessions. Models analyze anomalies in HTTP headers, user agents, destination rarity, and beaconing regularity to expose stealthy worker-hosted C2 such as BRICKSTORM’s use of HTTPS and WSS over cloud services.
  • DNS-over-HTTPS resolution: Vectra’s Hidden HTTPS Tunnel detection and machine learning models catch DoH patterns hidden in encrypted traffic. This directly addresses BRICKSTORM’s use of DoH for covert C2 resolution.
  • DNS and protocol tunneling for exfiltration: If attackers fall back to DNS tunneling or data exfiltration over C2, Vectra’s Hidden DNS Tunnel and ATT&CK-mapped detections immediately highlight the abnormal patterns.

Internal movement and collection

  • Lateral movement and reconnaissance: When BRICKSTORM relays RDP or SMB traffic and pivots with valid credentials, detections such as SMB Account Scan and Kerberos Account Scan alert on credential misuse and suspicious internal probing.
  • Staging and collection: Bulk access to repositories, code bases, or file shares triggers Data Gathering detections. This shines a light on attackers preparing material for exfiltration before data loss occurs.

Defense in depth

  • Complementary IOC coverage: For additional defense in depth, Vectra sensors can run Suricata-based rules (SPA), including community signatures such as NVISO’s BRICKSTORM C2 rule, to supplement behavior-driven analytics.

With this multi-layered approach, SOC teams do not have to chase unique hashes or domains. Instead, they can see the behaviors that advanced adversaries cannot hide. Vectra AI correlates detections across network, identity, SaaS, and cloud, turning invisible footholds into visible threats and collapsing dwell time from months to moments.

Conclusion: Learn from BRICKSTORM

BRICKSTORM is not just another backdoor. It is a reminder that the most advanced adversaries thrive in the places traditional tools do not cover. UNC5221 survived for more than a year inside enterprise networks because it operated in blind spots, abused identity, and moved data through channels that looked legitimate.

Defenders cannot rely on indicators or static signatures when attackers change infrastructure with every victim. What matters is the ability to detect behaviors that remain consistent across campaigns, no matter how much the malware itself changes. That is exactly what the Vectra AI Platform delivers.

By closing detection gaps across network, identity, SaaS, and cloud, Vectra AI allows SOC teams to see what others miss and stop stealthy operations before they become another year-long compromise.

See how Vectra AI eliminates detection gaps. Take the self-guided demo today.