Law firms across America are discovering a disturbing truth: while they protected their primary computers and networks with the latest cybersecurity tools, sophisticated Chinese hackers have been quietly stealing their most sensitive data through devices they never thought to secure.
Security researchers from Google and Mandiant revealed last week that a China-nexus cyber espionage group, known as UNC5221, has been using a stealthy backdoor called BRICKSTORM to infiltrate legal services, software providers, and technology companies. The campaign, which security researchers have been tracking since March 2025, has revealed that attackers maintained access to victim networks for an average of 393 days before detection. This extraordinary dwell time represents what experts are calling a sophisticated threat that has fundamentally changed how legal professionals must think about cybersecurity.
The attackers discovered an overlooked vulnerability in modern law firm infrastructure: network appliances and management systems that cannot run traditional endpoint detection and response software. These devices, including VMware vCenter servers, network storage systems, and remote access appliances, became perfect hiding spots for the BRICKSTORM malware. While law firms invested heavily in protecting laptops and desktops, these infrastructure components remained largely invisible to security monitoring.
According to Google Threat Intelligence Group, the sophisticated nature of this campaign extends beyond typical cyber theft. The hackers targeted specific individuals within organizations, focusing on email accounts of senior partners, system administrators, and attorneys handling matters aligned with Chinese economic and espionage interests. Google researchers assess with high confidence that targeting of legal services aims to gather information related to U.S. national security and international trade, while targeting of SaaS providers seeks access to downstream customer environments.
The timing of this revelation coincides with a broader crisis in American cybersecurity infrastructure. On October 1, 2025, the Cybersecurity Information Sharing Act expired amid a government shutdown, eliminating legal protections that encouraged private companies to share threat intelligence with federal agencies. According to cybersecurity attorneys quoted in Bloomberg Government, this expiration could complicate information-sharing arrangements and require “many more lawyers involved” in reviewing new threat intelligence agreements.
For legal professionals, the BRICKSTORM campaign exposes a fundamental security gap that traditional cybersecurity approaches have failed to address. The malware uses techniques specifically designed to evade detection, including delayed activation that waits until incident response teams have finished their investigations. One recovered sample of BRICKSTORM contained a delay timer built in that waited for a hard-coded date months in the future before beginning to beacon to its command and control domain, demonstrating the threat actor’s ability to actively monitor and rapidly adapt tactics to maintain persistence.
The legal industry’s unique vulnerability stems from its role as a connector between multiple high-value networks. When hackers compromise a law firm, they gain potential access not only to the firm’s data but also to confidential information belonging to corporate clients, government agencies, and other legal organizations. This legal supply chain effect means that a single breach can cascade across an entire network of professional relationships, amplifying the damage far beyond the initial target.
Recent data shows the broader threat landscape facing all industries is intensifying rapidly. Across all sectors, 24 percent of organizations reported being victims of a ransomware attack between April 2024 and March 2025, up from 18.6 percent the previous year—marking the first rise in three years, according to multiple cybersecurity reports. This broader trend creates additional risks for legal services, as attackers increasingly target professional service providers as a means to reach high-value clients.
The sophistication of the BRICKSTORM campaign reflects a strategic shift in how nation-state actors approach cyber espionage. Rather than launching noisy, disruptive attacks, these groups now prioritize long-term stealth access that allows continuous intelligence gathering. The Go-based backdoor offers multiple capabilities, including file manipulation, command execution, and SOCKS proxy functionality, which enables hackers to tunnel directly into internal networks and access sensitive applications.
UNC5221 consistently targets VMware vCenter and ESXi hosts, often deploying BRICKSTORM to a network appliance before pivoting to VMware systems using valid credentials likely captured by the malware. In multiple cases, the threat actor used their access to vCenter to clone Windows Server virtual machines for key systems such as Domain Controllers, SSO Identity Providers, and secret vaults, allowing them to extract files like the Active Directory Domain Services database without powering on the clone and triggering security tools.
“Attacks that use the BRICKSTORM backdoor are a significant threat to organizations because they evade advanced enterprise security defenses while concentrating on high-value targets. The access UNC5221 has obtained could extend beyond the victim organization to their SaaS customers or lead to the discovery of zero-day vulnerabilities,” said Charles Carmakal, CTO of Google Cloud’s Mandiant Consulting.
Legal professionals can take immediate action to defend against similar threats by conducting comprehensive audits of all network appliances and management systems that may lack traditional security monitoring. Organizations should implement network segmentation to isolate infrastructure components and deploy specialized monitoring tools capable of detecting unusual activity on devices that cannot run standard endpoint protection software. Regular vulnerability assessments of appliances from vendors such as VMware, Citrix, and other network infrastructure providers are essential, as is maintaining current patch levels across all systems.
The incident also highlights the importance of understanding the broader ecosystem of vendors, contractors, and service providers that have access to firm networks and data. Law firms must now evaluate the security posture of every technology partner and implement zero-trust architectures that assume any connected system could potentially be compromised.
A common theme across investigations is the threat actor’s interest in emails of key individuals within victim organizations. To access email mailboxes of target accounts, UNC5221 utilized Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes, which enable applications to access mail in any mailbox. Organizations should follow established guidance to hunt for these techniques by enumerating Enterprise Applications with graph permissions that can read all mail and analyzing source IP addresses and user-agent strings for discrepancies.
As cybercriminals and nation-state actors continue to evolve their tactics, the legal profession faces a fundamental question about the balance between technological convenience and security. The BRICKSTORM campaign demonstrates that even sophisticated law firms with substantial cybersecurity investments remain vulnerable to patient, well-resourced adversaries who understand exactly where to look for the gaps in modern digital defenses.
Given the escalating sophistication of nation-state cyber espionage campaigns like BRICKSTORM and the role legal services play in protecting sensitive client information, should law firms be required to meet the same cybersecurity standards as financial institutions or critical infrastructure providers?
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission of ComplexDiscovery OÜ
