Chinese-affiliated hackers exploit backdoor for possible 'sabotage,' according to US and Canada

On December 4, U.S. and Canadian cybersecurity agencies reported that hackers connected to China employed advanced malware to infiltrate and maintain prolonged access to several unnamed government and IT organizations.

These cyber operations represent a continuation of Chinese-affiliated efforts to target critical infrastructure, compromise sensitive networks, and establish long-term footholds that could allow disruption or sabotage, according to Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency (CISA). The advisory was jointly issued by CISA, the National Security Agency, and the Canadian Centre for Cyber Security.

Chinese embassy spokesperson Liu Pengyu denied the allegations, stating that China neither supports nor condones cyber attacks, and criticized what he described as irresponsible assertions that lacked evidence.

U.S. authorities have previously warned that Chinese-linked hackers have focused on telecommunications companies and other sensitive targets both domestically and internationally. In October, a cyberattack on U.S. cybersecurity firm F5 was attributed to Chinese-linked actors.

The advisory detailed that the hackers are deploying a malware called Brickstorm to compromise multiple government and IT entities. Once inside a network, Brickstorm can exfiltrate login credentials and other sensitive data and potentially gain full control over infected systems. In one instance, the malware was used to infiltrate a company in April 2024 and maintain access through at least September 3, 2025.

CISAs Executive Assistant Director for Cybersecurity, Nick Andersen, did not disclose the total number of organizations affected or the full scope of the hackers activities during a press call.

The advisory is based on analysis of eight Brickstorm malware samples obtained from the targeted organizations. The hackers exploited VMware vSphere, a Broadcom product used to manage virtual machines. Broadcom confirmed awareness of Brickstorm use in compromised customer environments and advised customers to apply software updates and maintain strong security practices.

Googles Threat Intelligence Group previously reported Brickstorm-linked intrusions affecting industries including legal services, software providers, business process outsourcing, and technology. Beyond espionage, these attacks may have been used to uncover new vulnerabilities and create pathways for wider network access.

Author: Harper Simmons