Chinese APT UNC5221 Uses Brickstorm, Plenet, and AgentPSD to Maintain Long‑Term Access in US Microsoft 365 and MSP Environments
What Happened — The Chinese espionage group UNC5221 (also known as VerdantBamboo) deployed the Brickstorm backdoor together with two previously undocumented payloads, Plenet and AgentPSD, to infiltrate Microsoft 365 tenants and a managed‑services‑provider (MSP). The actors remained inside the victim networks for at least 18 months, using stolen SSL‑VPN credentials and a compromised pfSense firewall to pivot between the MSP and the primary organization.
Why It Matters for TPRM
- Persistent, multi‑year footholds indicate that traditional detection controls can be bypassed for extended periods.
- Compromise of an MSP creates a supply‑chain risk that can expose all downstream customers.
- Use of custom Rust‑based malware and backdoor proxying evades many cloud‑native Conditional Access policies.
Who Is Affected — Technology firms, SaaS providers, legal services, and business‑process‑outsourcers in the United States; their MSPs and cloud‑service vendors (Microsoft 365, VMware vSphere, Dell RecoverPoint, Synology NAS, pfSense firewalls).
Recommended Actions
- Review and tighten MSP contractual security clauses (MFA, least‑privilege, continuous monitoring).
- Enforce strict Conditional Access policies and monitor for anomalous backdoor traffic.
- Conduct threat‑hunts for Brickstorm indicators (Rust binaries, Golang variants) across cloud and on‑prem assets.
- Validate that SSL‑VPN credentials are rotated regularly and that MFA is mandatory for all privileged access.
Technical Notes — Attack vector: stolen credentials, SSL‑VPN abuse, backdoor proxying, supply‑chain compromise of MSP. Malware: Brickstorm (initial Golang, later Rust), Plenet, AgentPSD. Targets: Microsoft 365, VMware vSphere, Dell RecoverPoint for VMs, Synology NAS, pfSense firewall. No specific CVE cited. Source: BleepingComputer