Brickstorm is a sophisticated, state-sponsored espionage campaign. Technically speaking, Brickstorm is a stealthy Go-based backdoor tool designed to run on systems where endpoint protection (EDR) is not typically installed, such as network appliances and hypervisors. This allows it to remain invisible.
This adversary’s motivation is to establish a long-term, stealthy presence inside high-value networks to steal sensitive data and intellectual property, which in turn fuels future, broader-scale attacks.
BRICKSTORM malware was first identified in April 2024, but the threat actor (UNC5221) has been operating since at least 2023. The syndicate saw its first high-profile breach when it penetrated security vendor F5’s BIG-IP source code, the secret recipe and complete blueprint for F5's most critical products. This gave the threat actor access to not only F5’s crown jewels but also internal files detailing vulnerabilities that F5 knew about but hadn't fixed yet. And the threat actor’s dwell time was long, living in the F5 system for at least 12 months.
This begs the question: what could an adversary do with a full year of undetected access to your crown jewels?
Your Blinders Are On: How BRICKSTORM Makes "Best-in-Class" EDR Irrelevant
BRICKSTORM's success comes from taking advantage of the inherent blindness of endpoint protection (EDR). This threat group doesn’t even infect your server, but rather creates their own invisible server that serves as a backdoor into the virtualization platform. They operate from a staging ground within the rogue virtual machine, which has no EDR agent, no security monitoring, and no logging. From here the threat group can then move laterally, exfiltrate data, and operate for months or years, without triggering a single EDR alert.
Let's be clear: endpoint protection is doing its job. But BRICKSTORM has simply changed the rules of engagement. It isn't designed to break EDR; it's designed to operate in a domain where EDR has no visibility. Think of your EDR as the essential guards patrolling the building's floors. This attacker, however, is moving undetected through the service tunnels below.
That means the fight has expanded to a new front, requiring a defense-in-depth approach that adds cyber resilience to your existing toolbox.
The CISO's New Mandate: Shift from Prevention to Cyber Resilience
If we accept that attackers will get in and will be invisible, the entire security paradigm must shift.
In the past, organizations were laser-focused on how to keep threat actors out. They took a largely prevention-focused approach. If, however, instead, you take an “assume breach” mindset, you need to ask yourself new questions around cyber resilience, including:
Is a threat actor already inside my system?
What did they touch? How can I investigate the blast radius, especially after 12 months of dwell time?
How can I find threats that my EDR cannot see?
How can I recover safely and quickly when I cannot trust my production environment?
True cyber security is no longer about building a taller wall. It's about your ability to withstand the punch, see the damage, and get the business back online—fast. This is Cyber Resilience, and it's built on the one thing the attackers can't hide: the data.
Rubrik Secures Your Data From the Inside Out
Rubrik from its very inception has taken an “assume breach” mindset, building solutions that help customers recover from cyber attacks and data breaches. But our solutions also give our customers the confidence to plan for inevitable attacks, fortifying their data to withstand the impact.
BRICKSTORM uses rogue VMs to attack the offline virtual disks (VMDKs) of legitimate VMs. EDR agents aren't running on the hypervisor or inside the attacker's invisible VM, so they cannot detect the compromise as it happens.
Rubrik directly counters this invisible attack by operating out-of-band—analyzing the backup snapshots of those same VMDKs, providing visibility where EDR cannot.
Here’s an overview of how Rubrik technologies can help expose (and recover from) a BRICKSTORM incursion:
Problem | Rubrik’s Solution |
EDR is blind to attacks on offline disks. | Detect the “Invisible” with out-of-band Rubrik Data Threat Analytics:
|
You don’t know what data the rogue VM touched or stole. | Hit “rewind” to discover what data was impacted: The Rubrik platform allows you to analyze the backup data to understand the data lineage. This allows you to see what data was touched, when it was touched, and how it changed—all in a time-series view. This turns a year-long, C-suite panic of uncertainty into a precise, actionable report. After an attack is detected, Rubrik Anomaly Detection provides a blast radius analysis, comparing snapshots over time to reveal exactly which files were modified, encrypted, or exfiltrated by the rogue VM. Rubrik can identify suspicious, un-backed-up rogue VMs on the hypervisor that fit the attacker's profile, flagging them for investigation. |
You can’t restore a compromised VM without the risk of the threat coming back. | Recover with confidence, with an immutable, surgical recovery: Rubrik's backups are both air-gapped and immutable, so they provide a guaranteed clean copy for forensics. Organizations can then perform a surgical recovery, restoring only the last known clean files or a clean version of the entire VM, ensuring the attacker is fully ejected. |
Don't Wait for the 12-Month-Late Alert
BRICKSTORM and UNC5221 aren't just another threat; they are a profound validation of the "Assume Breach" model. They have proven that an EDR-centric strategy is a vulnerability.
You can't fight an enemy you can't see. Cyber resilience shifts the focus to the one place of absolute truth: your data. It gives you the power to see what your EDR can't, investigate what production logs won't show, and recover what attackers thought they had destroyed.
Don't wait to find out you've been breached for a year. It's time for every organization to build a true cyber resilience strategy. To see the full technical breakdown of how EDR-evading threats like Brickstorm operate, set aside just a few minutes to read the latest in-depth analysis from our Rubrik Zero Labs threat research team: Unmasking the Invisible: Hunting and Defeating EDR-Evading Threats Like Brickstorm.