UNC5221’s BRICKSTORM backdoor is more than just another piece of malware. It proves that advanced adversaries are winning by hiding in the places SOC teams cannot see. Mandiant found that attackers using BRICKSTORM lived inside U.S. enterprises for more than 400 days on average before detection. They achieved this by exploiting the blind spots in network appliances, virtualization platforms, and identity systems. This campaign was not about smash and grab attacks. It was about patience, stealth, and persistence inside infrastructure that most security tools ignore.
Appliances in the Dark: Where BRICKSTORM Hid
BRICKSTORM succeeded because it lived in places most security teams rarely watch. The backdoor was designed to run on edge appliances like VPN gateways, firewalls, and VMware vCenter servers. These systems are critical to business continuity, but they often lack endpoint agents and generate minimal logs. That security gap created the perfect hiding place.
Once installed, BRICKSTORM blended into normal processes and even persisted across reboots by modifying startup scripts. From the attacker’s perspective, this is the ideal foothold. From the defender’s perspective, it is almost invisible. SOC teams monitoring endpoints and cloud workloads had no signal that adversaries were operating inside the infrastructure connecting those systems together.
These blind spots gave attackers the room they needed to remain hidden. But stealth was not just about where they lived, it was also about how they operated.
Stealth that Lasted Over a Year
UNC5221’s operators built BRICKSTORM to avoid every traditional detection method. Each implant was compiled uniquely for its victim, often stripped of identifiers and obfuscated to look like a legitimate process. Some versions even included a delayed start feature, lying dormant for months before activating. By the time the malware beaconed out, incident responders had long since moved on.
This tradecraft explains the staggering dwell time of around 400 days. Indicators of compromise were practically useless. There were no reused domains, no repeat file hashes, and no signatures to rely on. Instead, the attackers lived off the land, using valid credentials and standard admin tools to move laterally and steal data. Their presence blended so cleanly into routine activity that even seasoned SOC teams missed the signs.
The reality is that this level of stealth cannot be caught with a static approach. To shorten dwell time, detection has to shift from chasing indicators to monitoring behavior. Only by spotting subtle anomalies in how infrastructure, users, and services operate can defenders close the advantage that BRICKSTORM enjoyed.
When Appliances Become a Gateway to Identity
For UNC5221, BRICKSTORM was never the end goal. The compromised appliances served as a springboard into the systems that matter most: identity infrastructure.
Once inside, the attackers cloned entire domain controllers to quietly extract Active Directory databases. They deployed custom servlet filters inside VMware vCenter to siphon off admin credentials. In cloud environments, they registered rogue applications in Microsoft 365 to read mailboxes as if they were legitimate services. Each of these moves gave the attackers privileged access without raising alarms.
From a defender’s perspective, it looked like normal administrators logging in, cloning machines, or granting cloud apps permissions. In reality, it was a slow dismantling of trust at the core of the enterprise.
This pivot to identity is the most damaging part of the campaign. Once adversaries control domain controllers or SaaS authentication, they can access virtually any resource. BRICKSTORM revealed how attackers now combine appliance footholds with credential theft to gain dominance across hybrid environments.
Protecting endpoints alone is no longer enough when identity is the ultimate prize.
Supply Chain Impact Beyond the Primary Target
UNC5221 does not stop with individual enterprises. Many of the organizations compromised by BRICKSTORM were service providers — SaaS platforms, outsourcing firms, and legal services that hold data or provide access for dozens of downstream clients. By embedding in these providers, the attackers positioned themselves to reach far beyond a single network.
This strategy magnifies the impact of every compromise. A foothold in a SaaS company could expose sensitive data from government agencies. Breaching an outsourcing partner could open pathways into multiple industries at once. For the attacker, it is an efficient way to expand reach. For defenders, it is a reminder that your security posture is only as strong as the partners and vendors you rely on.
The BRICKSTORM campaign highlights how supply chain compromise is evolving. It is not always about injecting malicious code into software updates. Sometimes it is about targeting the connective tissue of business services and exploiting trust relationships to move silently into new environments.
Facing a Next-Level Adversary
Mandiant described UNC5221 as a “very, very advanced adversary,” and BRICKSTORM proved it. These operators didn’t rely on malware families reused across campaigns. They built custom implants, deployed unique infrastructure for each victim, and dismantled evidence before responders could collect it. Every move showed patience and discipline.
Traditional defenses are not built for this kind of opponent:
- Endpoint detection misses the appliances they compromise.
- SIEMs drown in noise while the real anomalies slip through.
- Signature updates cannot keep pace with one-off binaries and in-memory persistence.
Against an actor that invests this much in stealth, the only realistic response is to change the detection model.
That shift means focusing on behavior rather than indicators. It means correlating activity across network, identity, and cloud environments to expose the subtle patterns that no single tool can see in isolation. Anything less leaves gaps that a determined adversary will exploit for months or even years.
Closing the Gaps with Vectra AI
The BRICKSTORM campaign was engineered to disappear into the noise. It beaconed through encrypted cloud front ends, tunneled DNS inside HTTPS, pivoted with valid credentials, and quietly staged data for months. These are exactly the kinds of behaviors the Vectra AI Platform is built to surface.
Here is how Vectra AI closes the gaps attackers exploit:
External communications and exfiltration
- Encrypted and fronted C2 traffic: Advanced C2 analytics detect domain fronting, intermittent beaconing, unusual SaaS or cloud usage, and encrypted C2 sessions. Models analyze anomalies in HTTP headers, user agents, destination rarity, and beaconing regularity to expose stealthy worker-hosted C2 such as BRICKSTORM’s use of HTTPS and WSS over cloud services.
- DNS-over-HTTPS resolution: Vectra’s Hidden HTTPS Tunnel detection and machine learning models catch DoH patterns hidden in encrypted traffic. This directly addresses BRICKSTORM’s use of DoH for covert C2 resolution.
- DNS and protocol tunneling for exfiltration: If attackers fall back to DNS tunneling or data exfiltration over C2, Vectra’s Hidden DNS Tunnel and ATT&CK-mapped detections immediately highlight the abnormal patterns.
Internal movement and collection
- Lateral movement and reconnaissance: When BRICKSTORM relays RDP or SMB traffic and pivots with valid credentials, detections such as SMB Account Scan and Kerberos Account Scan alert on credential misuse and suspicious internal probing.
- Staging and collection: Bulk access to repositories, code bases, or file shares triggers Data Gathering detections. This shines a light on attackers preparing material for exfiltration before data loss occurs.
Defense in depth
- Complementary IOC coverage: For additional defense in depth, Vectra sensors can run Suricata-based rules (SPA), including community signatures such as NVISO’s BRICKSTORM C2 rule, to supplement behavior-driven analytics.
With this multi-layered approach, SOC teams do not have to chase unique hashes or domains. Instead, they can see the behaviors that advanced adversaries cannot hide. Vectra AI correlates detections across network, identity, SaaS, and cloud, turning invisible footholds into visible threats and collapsing dwell time from months to moments.
Conclusion: Learn from BRICKSTORM
BRICKSTORM is not just another backdoor. It is a reminder that the most advanced adversaries thrive in the places traditional tools do not cover. UNC5221 survived for more than a year inside enterprise networks because it operated in blind spots, abused identity, and moved data through channels that looked legitimate.
Defenders cannot rely on indicators or static signatures when attackers change infrastructure with every victim. What matters is the ability to detect behaviors that remain consistent across campaigns, no matter how much the malware itself changes. That is exactly what the Vectra AI Platform delivers.
By closing detection gaps across network, identity, SaaS, and cloud, Vectra AI allows SOC teams to see what others miss and stop stealthy operations before they become another year-long compromise.
See how Vectra AI eliminates detection gaps. Take the self-guided demo today.