UPDATE: F5 Security Breach - BrickStorm UNC5221

The intrusion into F5's product development environment was allegedly attributed to another suspected China-nexus actor, UNC5221. A threat cluster specialised in long-term cyber espionage missions with a dwell time of approximately 393 days. In 2023, the threat actor UNC5174 was observed actively exploiting a critical N-day vulnerability (CVE-2023-46747) in F5 BIG-IP appliances to gain initial network access.

Threat alert
October 17, 2025

The primary malware associated with recent operations, active since March 2025, is designated as BRICKSTORM. The actor’s operational focus on high-value targets in the United States, targeting Legal Services, Software as a Service (SaaS) providers, government ,critical infrastructure , and technology firms.  

The core motivation of UNC5221 remains classical cyber espionage: information theft and maintaining persistent access to sensitive data towards accomplishing strategic objectives:

  • Enabling Zero-Day Development: By targeting leading technology firms and stealing valuable intellectual property (IP), the actor is generating material resources used to feed its offensive research pipeline.
  • Establishing Supply Chain Control

Attack Chain

Initial Access (TA0001)

Initial access for BRICKSTORM intrusions relies on the exploitation of critical zero-day vulnerabilities in internet-facing network appliances and remote access infrastructure.

Several examples of historical breaches:

  • Ivanti Connect Secure (ICS) VPN: CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection) we exploited since December 2023. The actor later launched a fresh campaign in March 2025 targeting another critical ICS vulnerability, CVE-2025-22457.
  • Citrix/NetScaler Appliances: Zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances.
  • Command and Control (C2) Infrastructure: UNC5221 utilises sophisticated infrastructure, including a network of compromised, out-of-support Cyberoam VPN appliances as domestic C2 relays.  

Persistence (TA0003) and Defense Evasion (TA0005)

Persistence is established primarily through the installation of the BRICKSTORM backdoor on appliances, often embedded within startup scripts to ensure survival across restarts.  To maintain access post-exploitation and further complicate forensic efforts, threat actor employs lightweight web shells and fileless execution.

Primary defence evasion strategy is focusing exclusively on Linux and BSD-based edge devices:

  • In-Memory Payloads (T1055): The deployment of volatile malware (BRUSHFIRE) ensures minimal filesystem artifacts.
  • Log Tampering (T1562.007): Use of SPAWNSLOTH to suppress or tamper with syslog activity on the compromised appliance in an attempt to blind security monitoring systems.
  • Artefact Removal (T1070.004): UNC5221 actively removes BRICKSTORM binaries from live systems post-operation.

Credential Access (TA0006) and Privilege Escalation (TA0004)

The deployment of BRICKSTEAL on vCenter servers captures high-value credentials intended for Active Directory authentication. Tool monitors HTTP requests directed at sensitive vCenter web login Uniform Resource Indicators (URIs), notably those associated with single sign-on flows such as /web/saml2/sso/*.

When a user attempts to log in, the filter intercepts and decodes the HTTP Basic authentication header, which frequently contains plaintext Active Directory usernames and passwords.  

Discovery (TA0007) and Lateral Movement (TA0008)

Once established on the appliance, UNC5221 conducts thorough internal reconnaissance:

  • Network Scanning (T1046): The actor leverages legitimate utilities available on the appliance, such as nmap for port scanning and dig for DNS lookups.
  • Credential-Driven Movement: Lateral movement across the network is primarily credential-driven, relying on the harvested login details from BRICKSTEAL or password vaults.
  • Utilises legitimate administrative protocols, such as enabling SSH on targeted appliances or using administrative interfaces, to propagate the BRICKSTORM backdoor to new hosts.

Command and Control (TA0011) and Exfiltration (TA0010)

The Command and Control (C2) phase utilises BRICKSTORM's SOCKS proxy capabilities to establish highly resistant, encrypted tunnels. In some cases, the abuse of Microsoft Entra ID Enterprise Applications that have been granted broad mail access permissions.

Evasive C2 Protocols (T1071.001): A critical evasion technique observed is the use of DNS-over-HTTPS (DoH) for C2 communication.

Recommendations

Main recommendation remains to apply the latest vendor-provided updates for all F5 products. Validate the F5 published MD5 checksums to ensure the download of the files is not tampered with and decommission all public facing F5 devices that reached end-of-support. Additionally, perform an audit of all credentials and keys stored or managed by F5 products and consider rotation.

Given the strategic objectives of UNC5221, immediate, proactive action is required across these primary vectors:

  • Threat Model Revision: Organisations must immediately reevaluate the security threat model for all network, virtualisation, and edge appliances (VPNs, firewalls, load balancers, vCenter/ESXi).  
  • Forensic Review and Recovery: Due to the actor's use of anti-forensics tools (SPAWNSLOTH) and fileless implants (BRUSHFIRE), conducting live system analysis is insufficient.
  • Enforce Multi-Factor Authentication (MFA) on all management interfaces, especially VMware vCenter.  
  • Enable and stream all BIG-IP event logs to your Security Information and Event Management (SIEM) system and configure alerts.

Resources:

https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

https://github.com/mandiant/brickstorm-scanner