On Wednesday, Google’s Mandiant cybersecurity unit exposed Chinese state-linked hackers, from group UNC5221, conducting a widespread cyber security in supply chain espionage campaign, infiltrating US tech companies, SaaS providers, and law firms to steal source code, trade secrets, and sensitive legal data.
The attackers use a stealthy backdoor, Brickstorm, planted on systems such as VMware hypervisors and email gateways – where traditional anti-virus doesn’t run – allowing them to go undetected inside victim networks for an average of 393 days.
Mandiant disclosed the findings during a briefing at the company’s Cyber Defense Summit in Washington. The UNC5221 affiliates conducted one of the most severe Chinese cyber security and supply chain operations uncovered in recent years.
US officials, including the FBI, are investigating the full scope of the campaign. The campaign allows hackers to pivot from software vendors to their customers, mimicking Russia’s SolarWinds attack.
A Long Game of Cyber Espionage
The hackers are “the most prevalent adversary in the United States over the past several years,” are exploiting cloud-computing firms and law firms to access valuable corporate secrets, said Charles Carmakal, chief technology officer at Google’s Mandiant division.
The scope of the breaches highlights a need for a strong third party risk management framework that can adapt to stealthy state-backed campaigns.
“We believe many organizations are compromised right now and don’t know it,” noted Austin Larsen, principal analyst at Google’s Threat Intelligence Group. “It’s very active right now. The volume is high.”
Google’s analysts reported that attackers have targeted law firms’ internal communications, including the emails of attorneys handling US national security and international trade disputes.
In the technology sector, hackers stole source code for enterprise software, potentially giving them the ability to develop “skeleton keys” to exploit future vulnerabilities. Experts say these incidents highlight gaps in third party risk management technology when trusted providers are breached.
“You get hold of this technology’s source code and then you leverage that information to gain access or build exploits,” said John Hultquist, Google’s chief threat intelligence analyst. He continued, “it is them moving upstream where they can pick and choose their targets of interest.” Security specialists argue that stronger software supply chain security solutions are needed to limit the ripple effects.
Secret Tactics and Global Cyber Security in Supply Chain
The Brickstorm backdoor malware used hides in systems unable to run antivirus or endpoint detection software, such as VMware hypervisors and email gateways.
Analysts warn that weak vendor cyber security controls often allow such hidden intrusions to thrive undetected. Google said victims often take an average of 393 days to discover intrusions, an unusually long “dwell time” in modern cybersecurity.
Hidden in global supply chains, China’s cyber backdoors show how national security now depends on everyday tech parts, turning routine products into silent tools of espionage and power. An office router, a line of code in a software update, or a cloud service that millions of individuals have put their trust into can be hijacked as a point of entry.
Experts add that the growing reliance on IT in supply chain management expands the number of pathways adversaries can exploit, making protecting software supply chain security a national priority.
This blurring of the lines between consumer electronics and geopolitical conflict is meant to underscore the vulnerability of open economies, where the same tools that propel growth can also double as clandestine battlegrounds for spying. Analysts describe this as a stability that requires both public and private investment in software supply chain security tools and better vendor security risk management.
“This is a very, very advanced adversary,” Carmakal warned, adding that UNC5221 hackers never reuse the same infrastructure, making it “very hard to detect them and to investigate them.” Companies are now urged to strengthen supplier cyber security assessment programs as a frontline defense.
The FBI has called the threat a “five-alarm fire,” with sources telling CNN the bureau is investigating multiple breaches.
“The FBI is aware of this matter, and we continue to work with our law enforcement and private sector partners,” an FBI spokesperson said. Officials said one challenge is detecting backdoor penetration long after the initial compromise.
Officials at the Chinese Embassy in Washington rejected the allegations. “Tracing the source of cyberattacks is a complex technical issue,” spokesperson Liu Pengyu said, adding that China “opposes and combats all forms of cyberattacks and cybercrimes.”
The hacks come against the backdrop of heightened US-China tensions, from escalating trade disputes to concerns about cyber sabotage of critical infrastructure. Analysts compare the operation’s scale and sophistication to Russia’s SolarWinds cyber security in supply chain campaign in 2020.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.