Chinese State Linked Hackers Used Persistent Backdoor Against Networks

U.S. and Canadian cybersecurity agencies issued a joint advisory on December 4, 2025, saying state linked Chinese hackers had used sophisticated malware tracked as Brickstorm to penetrate and maintain persistent access to unnamed government and information technology networks. The advisory, produced by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security, said the intrusions specifically targeted VMware vSphere virtualization environments and were used to steal credentials, implant persistent backdoors and create pivot points that could enable disruption or sabotage.

The agencies said one documented intrusion involved attackers maintaining access from April 2024 through at least September 3, 2025, illustrating the degree of stealth and duration these operators were able to achieve. That extended foothold gave attackers multiple opportunities to harvest credentials and move laterally through virtualized infrastructure, a technique that can transform a single compromise into widespread network control.

Broadcom and VMware acknowledged that customer environments had been impacted and urged organizations to apply available patches and tighten operational security. Google's Threat Intelligence Group has previously reported responding to intrusions linked to Brickstorm across multiple sectors, reinforcing the advisory's assessment that the campaign has reached beyond isolated targets.

U.S. officials said the advisory underscored the heightened risk to critical infrastructure when adversaries gain long term access to foundational virtualization platforms. Virtualization is widely used to run servers and services for cloud providers, utilities, hospitals and government agencies, meaning successful exploitation can offer attackers outsized leverage over dependent systems. Beijing denied the assertions in the advisory.

Security analysts said the choice of VMware vSphere as a target is consequential because virtualization layers sit at the core of modern IT operations and can be a force multiplier for attackers. By stealing administrative credentials and implanting backdoors at the virtualization layer, intruders can persist through system updates, evade detection tools that focus on individual virtual machines and pivot to control sensitive workloads.

The advisory also serves as a reminder of the growing overlap between espionage grade intrusions and operations that could enable physical disruption. Persistent backdoors and credential theft are not only a means to gather intelligence, they can be staged to interfere with industrial control systems, supply chains and public services if actors choose to escalate.

For defenders, the incident signals an urgent need to prioritize patch management, multifactor authentication, credential hygiene and rigorous monitoring of virtualization management consoles. Enterprises and public agencies that rely heavily on virtualized infrastructure will need to reassess their exposure and assume that sophisticated state linked actors will continue to probe well beyond traditional perimeters.

The disclosure adds to a broader pattern of high consequence intrusions in recent years and is likely to prompt renewed cooperation among allied cybersecurity agencies, vendors and private sector responders to share technical indicators and harden the systems on which much of modern society depends.