Chinese-affiliated hackers exploit backdoor for possible 'sabotage,' according to US and Canada

On December 4, U.S. and Canadian cybersecurity agencies reported that hackers connected to China employed advanced malware to infiltrate and maintain prolonged access to several unnamed government and IT organizations.

These cyber operations represent a continuation of Chinese-affiliated efforts to target critical infrastructure, compromise sensitive networks, and establish long-term footholds that could allow disruption or sabotage, according to Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency (CISA). The advisory was jointly issued by CISA, the National Security Agency, and the Canadian Centre for Cyber Security.

Chinese embassy spokesperson Liu Pengyu denied the allegations, stating that China neither supports nor condones cyber attacks, and criticized what he described as irresponsible assertions that lacked evidence.

U.S. authorities have previously warned that Chinese-linked hackers have focused on telecommunications companies and other sensitive targets both domestically and internationally. In October, a cyberattack on U.S. cybersecurity firm F5 was attributed to Chinese-linked actors.

The advisory detailed that the hackers are deploying a malware called Brickstorm to compromise multiple government and IT entities. Once inside a network, Brickstorm can exfiltrate login credentials and other sensitive data and potentially gain full control over infected systems. In one instance, the malware was used to infiltrate a company in April 2024 and maintain access through at least September 3, 2025.

CISAs Executive Assistant Director for Cybersecurity, Nick Andersen, did not disclose the total number of organizations affected or the full scope of the hackers activities during a press call.

The advisory is based on analysis of eight Brickstorm malware samples obtained from the targeted organizations. The hackers exploited VMware vSphere, a Broadcom product used to manage virtual machines. Broadcom confirmed awareness of Brickstorm use in compromised customer environments and advised customers to apply software updates and maintain strong security practices.

Googles Threat Intelligence Group previously reported Brickstorm-linked intrusions affecting industries including legal services, software providers, business process outsourcing, and technology. Beyond espionage, these attacks may have been used to uncover new vulnerabilities and create pathways for wider network access.

Analysis: Prolonged Threat from Brickstorm Malware

The recent advisory from U.S. and Canadian cybersecurity agencies highlights the persistent risk posed by Chinese-affiliated hackers using the Brickstorm malware. This campaign demonstrates not only sophisticated intrusion capabilities but also the ability to maintain long-term access to sensitive networks, underscoring the importance of proactive cybersecurity measures.

Brickstorm’s exploitation of VMware vSphere indicates that attackers are targeting widely used infrastructure tools to maximize reach. The confirmed multi-year access to at least one organization shows how prolonged undetected activity can compromise critical systems and sensitive data.

While the Chinese government denies involvement, the pattern of previous attacks on telecommunications and IT companies suggests a strategic focus on infrastructure and intellectual property. Organizations must remain vigilant, update software promptly, and monitor for unusual activity to mitigate these evolving threats.

Sources:

• Chinese-linked hackers use back door for potential 'sabotage,' US and Canada say