The US and Canada teamed up on a report on BRICKSTORM a China-sponsored malware, just before the UK imposed sanctions on two Chinese tech companies.
On December 4, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with Canada’s Centre for Cyber Security (Cyber Centre), released a malware analysis report on BRICKSTORM. The report says the malware is being used by cyber actors sponsored by the People’s Republic of China (PRC) “for long-term persistence on victim systems”, typically in the information technology (IT) and government services sectors. These organizations were targeted through the use of an intricate backdoor for Windows environments, VMware vCenter servers, and VMware ESXI.
The sophisticated nature of BRICKSTORM comes from its ability to remain undetected by blending its communications with legitimate traffic, quietly steal and manipulate files, and even dodge disruption. The program used self-monitoring functions to reinstall or restart if the malware was not running correctly. In the report, CISA explains that their information about BRICKSTORM came after sample analysis from eight different organizations, with one where CISA specifically conducted an incident response engagement. In that case, the cyber actors accessed a web server in April 2024 and moved laterally from the web server to a domain controller and other servers, even extracting cryptographic keys as they made progress.
In the press release, Madhu Gottumukkala, the Acting Director of CISA, emphasized the danger BRICKSTORM posed: “These state-sponsored actors are not just infiltrating networks — they are embedding themselves to enable long-term access, disruption, and potential sabotage. CISA, in close coordination with our domestic and international partners, urges every organization to treat this threat with the seriousness it demands: review the report, implement the recommended mitigations without delay, and report any suspicious activity. Cyber defense is national defense — and it starts with action.”
Alongside technical information on the BRICKSTORM samples, the report also provides some key actions that federal and critical infrastructure organizations are recommended to take: use the indicators of compromise and detection signatures linked in the analysis to uncover any BRICKSTORM samples, and in the case that the malware is discovered, “report the incident to CISA, Cyber Centre, or required authorities immediately.” The press release also suggests monitoring and making an inventory of network edge devices to watch for suspicious activity, checking for proper network segmentation, and using the Cross-Sector Cybersecurity Performance Goals.
Though the press release concludes with these suggestions, the work on BRICKSTORM is ongoing. In the malware analysis, CISA explained they were “still completing analysis to understand the malicious activity and full impact of the compromise.” Crowdstrike has released their own alert related to the malware, and have identified a new China-nexus adversary to watch out for. WARP PANDA, a group with “a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments” is believed to have deployed BRICKSTORM along with other malicious cyber tools to infiltrate several United States based entities.
Two days after CISA and the Cyber Centre broke the news on BRICKSTORM, a spokesperson for China’s embassy in Canada responded by sidestepping and redirecting the allegations: “As we all know, the United States is the true “hacker empire,” the master of cyber attacks and the greatest threat to global cybersecurity. The so-called analysis report ignores the United States’ rampant cyber attacks, while making baseless accusations against China. This is a classic case of the pot telling the cauldron it’s black, and it’s malicious. China firmly opposes it. China is a major victim of cyber attacks and has consistently and resolutely opposed and fought all forms of cyber attacks in accordance with the law, remaining firmly committed to safeguarding cyber security.”
The spokesperson also called for Canada “to immediately stop following the US lead, to stop politicizing and stigmatizing cybersecurity issues, and to stop instrumentalizing cybersecurity issues to smear China.” China’s response is reminiscent of previous incidents where they were accused of sponsoring cyber attacks on Australia and the US. The sentiment is unlikely to go away soon, especially as the United Kingdom has recently instituted sanctions on two China-based companies for malicious cyber activity.
On December 9, 2025, the UK’s National Cyber Security Centre announced sanctions on Sichuan Anxun Information Technology Co. Ltd (i-Soon) and Integrity Technology Group Incorporated (Integrity Tech). The organizations were sanctioned for “reckless and indiscriminate cyberattacks”, with i-Soon attacking more than 80 federal and private sector IT systems and Integrity Tech for running and supporting a covert cyber network attacking UK IT systems. Australia also issued a statement backing the sanctions on the following day, saying “Australia shares the UK’s concern with the increasing scale and severity of malicious cyber activity, including by information security companies linked to the Chinese government.”
China has responded by condemning the sanctions, echoing their earlier requests “to stop politicizing” cybersecurity concerns. Guo Jiakun, a spokesperson of the Ministry of Foreign Affairs of China said that “China opposes and fights hacking in accordance with the law. We also firmly oppose disinformation driven by a political agenda… We urge the UK to immediately correct its wrong approach, abandon double standards and political schemes, and work with China in a truly responsible and constructive manner to safeguard peace, stability and prosperity in cyberspace."
While i-Soon and Integrity Tech have already been sanctioned by the US, more cyber sanctions on China do not seem imminent. The US planned to impose sanctions on China’s state security in the fallout of the Salt Typhoon hack, which was called the “worst telecom hack in our nation’s history”. On December 3, 2025, however, these plans were stopped in order to uphold a trade deal between China and the US amid Trump’s trade war. The choice has received some criticism for possibly encouraging China’s cyber espionage. Perhaps more cyber sanctions can be expected as the dust starts to settle after the trade deal that was finally reached on November 1, 2025.