In the ever-evolving landscape of cybersecurity, few threats are as insidious as those orchestrated by nation-state actors with advanced capabilities. Today, we’re diving into a critical issue with Rupert Marais, our in-house security specialist renowned for his expertise in endpoint and device security, cybersecurity strategies, and network management. Rupert brings a wealth of knowledge to the table, particularly on the sophisticated campaigns targeting technology sectors. In this interview, we explore the alarming tactics of China-linked hacking groups, the stealthy malware they deploy, their focus on supply chain vulnerabilities, and the prolonged impact of their intrusions on both companies and their customers.
Can you walk us through the recent discoveries about China-linked hacking groups targeting technology and software providers?
Absolutely. These groups, believed to be tied to state-sponsored efforts, have been infiltrating technology companies, software-as-a-service providers, and even legal services firms. They’re using highly sophisticated methods to steal sensitive data not just from these organizations but also from their customers. It’s a strategic move—targeting the backbone of tech infrastructure to gain access to a broader network of victims.
What types of companies are these hackers focusing on, and why do you think they’re chosen as primary targets?
They’re primarily going after enterprise tech vendors, software providers, and firms that handle critical services like legal support. These companies are attractive because they often hold valuable intellectual property, source code, or act as gateways to a vast customer base. By breaching these entities, hackers can pivot to downstream targets, amplifying their reach and impact.
Could you shed some light on the specific group known as UNC5221 and why they’ve been flagged as a significant threat?
UNC5221 stands out due to their persistence and sophistication. They’ve been identified as one of the most active adversaries in the U.S. over recent years, orchestrating frequent and complex attacks. Their ability to remain undetected, coupled with their strategic targeting of supply chains, makes them particularly dangerous. They don’t just hit and run; they embed themselves for long-term espionage.
Let’s talk about the malware called Brickstorm that these hackers are using. How does it enable them to stay under the radar?
Brickstorm is a backdoor malware designed for stealth. It’s often planted on systems that can’t run traditional endpoint detection or antivirus tools, like certain hypervisors or email security gateways. This placement allows it to evade common security measures, letting hackers maintain access for extended periods—sometimes nearly a year—without triggering alarms.
Why does it take victims so long—almost 400 days on average—to detect these intrusions?
The prolonged detection time comes down to the hackers’ patience and cunning. They use tactics like lying dormant for months if they sense an investigation, and they meticulously cover their tracks by using unique infrastructure for each attack. By the time victims notice, critical logs from the initial breach are often gone, making it incredibly hard to piece together what happened.
How do these hackers transition from targeting major vendors to their customers, and what makes this approach so concerning?
Once they’ve compromised a vendor, they move laterally to access customer networks, often hunting for specific data like emails of key individuals or information tied to national security and trade. This supply chain attack strategy is worrisome because it exploits trust—customers don’t expect a breach to come through a trusted provider, and the ripple effects can impact countless organizations.
There’s a new tool being released to help companies scan for Brickstorm. Can you explain how it works and who should prioritize using it?
This tool is designed to scan networks for signs of Brickstorm, helping companies identify active or past compromises. It’s accompanied by specific rules to search backups for historical evidence. Any organization in the tech or legal sector, or those relying on major software vendors, should use it immediately. If something is found, a thorough investigation is critical—don’t just patch and move on.
What’s your forecast for the long-term impact of these supply chain attacks on the cybersecurity landscape?
I think we’re looking at a challenging road ahead. The effects of these breaches will unfold over the next couple of years as more victims come forward and new vulnerabilities are exploited. We’ll see an increased focus on securing supply chains, but adversaries will likely adapt, finding new ways to infiltrate. It’s a cat-and-mouse game, and organizations must stay proactive to keep up.
