By AJ Vicens
Dec 4 (Reuters) - Chinese-linked hackers used sophisticated malware to penetrate and maintain long-term access to unnamed government and information technology entities, U.S. and Canadian cybersecurity agencies said on Thursday.
The Chinese-linked hacking operations are the latest example of Chinese hackers targeting critical infrastructure, infiltrating sensitive networks and “embedding themselves to enable long-term access, disruption, and potential sabotage,” Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency, said in an advisory signed by CISA, the National Security Agency and the Canadian Centre for Cyber Security.
Liu Pengyu, a spokesperson for the Chinese embassy in Washington, said in an email that the Chinese government does not "encourage, support or connive at cyber attacks," and that "we reject the relevant parties' irresponsible assertion" about the activities in question, when the parties had "neither put forward any request related to the issue nor presented any factual evidence."
Chinese-linked hackers have been targeting a host of U.S. and global telecommunications companies and other sensitive targets in recent years, according to U.S. government warnings. In October, sources linked a hack targeting U.S. cybersecurity company F5 to Chinese-linked hackers.
According to the advisory, which was published alongside a more detailed malware analysis report, the state-backed hackers are using malware known as “Brickstorm” to target multiple government services and information technology entities. Once inside victim networks, the hackers can steal login credentials and other sensitive information and potentially take full control of targeted computers.
In one case, the attackers used Brickstorm to penetrate a company in April 2024 and maintained access through at least September 3, 2025, according to the advisory. CISA Executive Assistant Director for Cybersecurity Nick Andersen declined to share details about the total number of government organizations targeted or specifics around what the hackers did once they penetrated their targets during a call with reporters on Thursday.
The advisory and malware analysis reports are based on eight Brickstorm samples obtained from targeted organizations, according to CISA. The hackers are deploying the malware against VMware vSphere, a product sold by Broadcom's VMware to create and manage virtual machines within networks.
A Broadcom spokesperson said in an email that the company was aware of reports of hackers using Brickstorm “after obtaining access to customer environments.” The company encourages all customers to apply up-to-date software patches and adhere to strong operational security, the spokesperson said.
In September, Google’s Threat Intelligence Group reported responding to Brickstorm-linked intrusions across a range of industries, including legal services, software service providers, business process outsourcers and technology.
In addition to traditional espionage, the hackers in those cases likely also used the operations to develop new, previously unknown vulnerabilities and establish pivot points to broader access to more victims, Google said at the time.
(Reporting by AJ Vicens in Detroit; Editing by Matthew Lewis)
