CISA has released an alert and analysis about BRICKSTORM, a group allegedly connected to China, that has been targeting the public sector.
On December 4th, CISA released two reports. The first was an alert about BRICKSTORM, a malware program believed to be used by actors in the People’s Republic of China (PRC) in state-sponsored attacks against government services and information technology sectors. The second CISA paper was a more detailed analysis of the malware itself, providing resources for how organizations can spot and protect themselves against attacks.
The alert shared that initial access can vary, but in a confirmed compromise, the actor accessed a web server inside the organization’s demilitarized zone before implanting the BRICKSTORM malware. After this, the actors were able to obtain and use legitimate credentials to ultimately exfiltrate sensitive data. BRICKSTORM is a smart operation; it continually runs checks to see if it is still operating as intended and can automatically reinstall or restart if it’s disrupted.
CISA analyzed several different attacks conducted using BRICKSTORM. In one instance, BRICKSTORM was able to access the network from April 2024 until approximately September 3rd, 2025, over a full year.
CISA provided several specific recommendations for IT teams and network defenders, including:
If any organization believes they are the victim of a BRICKSTORM malware attack, they should follow CISA’s incident response plan, detailed in their deeper report.
The CISA alert emphasized that BRICKSTORM allows threat actors to maintain stealthy access and can help them secure command and control. CISA stated this type of malware has advanced functionality, showing how cyberthreats continue to evolve and continue to be difficult to detect and prevent.
Breaches like these are particularly troubling because of their ability to stay undetected in a network for long periods of time. According to past Paubox reports, breaches, on average, can take 224 days to detect, and additional time to contain. Often, organizations only become aware of a breach once the damage is done, highlighting the need for strong mitigation and prevention strategies.
So far, it seems that the threat actors are targeting government services, which can include some healthcare services. Even if regular healthcare practices aren’t specifically being targetted, it’s important for every organization to prepare against increasingly sophisticated threats.
CISA didn’t specify the specific number of attacks that have taken place, but did note that they had examined eight incidents to understand how the attack is carried out.