Feature

China-Linked Hackers Target Software Supply Chains With Stealthy Malware

WASHINGTON — A sprawling cyber-espionage campaign linked to the Chinese government is exploiting the global technology supply chain, infiltrating vendors, service providers, and their customers in what Google has described as one of the most significant supply-chain hacks in recent memory.

The attackers, identified primarily as the group UNC5221, are deploying stealthy malware to compromise U.S. software suppliers, legal-services firms, and SaaS providers. Their operations have stolen sensitive national security information, source code for enterprise technologies, and even developer communications that may reveal undisclosed flaws ripe for exploitation.

“This is happening in the United States, this is next-level activity, and we’re only going to learn more about it over time,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group, during the company’s Cyber Defense Summit.


From Vendors to Victims

Google analysts say the campaign resembles the SolarWinds espionage incident, where Russian hackers leveraged one vendor to compromise many downstream targets. By compromising software providers, UNC5221 and associated China-linked groups are moving “upstream” in the supply chain, where they can choose which customers to infiltrate.

Victims include law firms, where the attackers have searched email accounts of specific individuals for information tied to U.S. national security and trade. Enterprise tech firms have also been hit, with hackers stealing source code and scanning developer inboxes for details about software flaws.


The Brickstorm Backdoor

At the heart of the operation is a malware backdoor known as Brickstorm. Unlike typical malware, Brickstorm is designed for environments that cannot run endpoint detection and response (EDR) or antivirus software. It embeds itself on critical systems such as VMware ESXi hypervisors, email security gateways, and vulnerability scanners — infrastructure that organizations rely on for operations but rarely monitor for intrusions.

By avoiding EDR, Brickstorm can remain hidden for astonishing lengths of time. Google says the average “dwell time” for these intrusions is 393 days — more than a year before discovery — far exceeding the industry’s recent trend toward faster detection.

Google is releasing tools and YARA rules to help organizations scan for Brickstorm across live networks and archived backups. But the company warns that the attackers excel at erasing forensic traces, complicating incident response.


A Patient, Persistent Adversary

UNC5221 is not only stealthy but also highly disciplined. According to Google’s Mandiant division, the group never reuses IP infrastructure across attacks, making detection by pattern recognition nearly impossible.

Their patience is equally striking. In one case, investigators saw hackers configure their malware to remain dormant for months, quietly waiting out a victim’s internal investigation before reactivating. “It’s clever, but it also shows they’re in it for the long game,” said Austin Larsen, a principal threat analyst at Google Threat Intelligence Group.

Because so many companies automatically purge network logs after a set retention period, researchers have struggled to identify exactly how UNC5221 initially breaks in. However, evidence suggests the hackers exploit edge devices — including Ivanti Connect Secure VPNs, which the group has been targeting aggressively for the past two years.


Why This Campaign Matters

The campaign demonstrates both the fragility of the software supply chain and the sophistication of state-linked adversaries. By targeting trusted service providers, attackers gain indirect access to hundreds of downstream networks, amplifying the scale of each breach.

The theft of source code is particularly concerning. By studying the inner workings of enterprise technologies, attackers can discover new vulnerabilities and potentially weaponize them in future campaigns.

For legal-services firms, the targeting of specific inboxes suggests a clear intelligence agenda — information about U.S. trade negotiations and national security is of strategic value.


Long-Term Fallout

Google experts warn that the full scope of the campaign will not be known for months, if not years. Many victims are still in remediation, and others may only discover compromises long after the fact.

“The impact of the campaign will continue to resonate six to 24 months from now,” said Charles Carmakal, chief technology officer at Google’s Mandiant. “Over that time, there will be new things that will come out, and new victims that disclose breaches.”

For now, Google hopes its public disclosure and detection tools will prompt organizations to examine their infrastructure, search historical records, and take a more aggressive stance on supply-chain security.

What is clear is that the attackers are playing a long game. And unless companies, governments, and vendors move faster to shore up their defenses, the consequences of this campaign could extend far beyond today’s disclosures.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *