Recently, the cybersecurity agencies of the United States and Canada revealed that hackers affiliated with China have been using sophisticated malicious software to penetrate and maintain long-term access to government and IT entities in both countries.
In a joint security advisory signed by the Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security, the National Security Agency (NSA) under the U.S. Department of Defense, and the Canadian Centre for Cyber Security (CCCS), Madhu Gottumukkala, acting director of CISA, noted that these China-affiliated hacker activities serve as a clear example of targeting critical infrastructure in the U.S. and Canada, infiltrating sensitive networks, and embedding themselves to achieve long-term access, disruption, and potential damage.
The U.S. government warned that hackers affiliated with China have been targeting a range of telecommunications companies and other sensitive targets in the U.S. and globally in recent years. In October of this year, some sources linked a cyberattack on the U.S. cybersecurity company F5 to Chinese hackers.
The security advisory, released concurrently with a more detailed analysis of the malicious software, identified state-sponsored hackers using a malicious software named “Brickstorm” to attack multiple government service agencies and IT entities. Once infiltrated, these hackers can steal login credentials and other sensitive information, potentially gaining complete control over the targeted computers.
According to a disclosed case in the advisory, hackers used the Brickstorm malware to breach a company in April 2024 and maintained access until at least September 3, 2025. During a phone conference with reporters on Thursday, Nick Andersen, the Executive Assistant Director for Cybersecurity at CISA, declined to reveal the total number of government agencies targeted in the attacks or specifics on actions taken by hackers post-infiltration.
CISA stated that the security advisory and related analysis were based on eight samples of the Brickstorm malware obtained from the targeted institutions. These hackers are targeting the deployment of malicious software on “VMware vSphere,” a product by VMware, a cloud computing and virtualization technology company owned by Broadcom, used for creating and managing virtual machines in networks.
A spokesperson for Broadcom informed Reuters via email that the company is aware of the reports and encourages all customers to install the latest software patches and follow robust operational security practices.
Google’s Threat Intelligence Group reported in September that they had encountered a series of network intrusions related to Brickstorm across various industries, including legal services, software service providers, business process outsourcing companies, and the technology sector.
Google indicated that aside from traditional espionage activities, hackers in these cases may exploit these activities to discover new, previously unknown vulnerabilities and establish pivot points to gain broader access permissions, thereby potentially attacking more victims.