Sophisticated silent cyber espionage

Imagine an adversary who doesn't just steal your secrets – they silently rewrite your systems, wait for your product launch, and then use your own code as their malware. That's sophisticated silent cyber espionage.

This signals a future where cyber security intrusions will increasingly look less like attacks, and more like hostile integrations. If your cyber security detection, business resilience, and recovery strategies don’t account for the adversaries already living inside your architecture and supply chain, you’re not just behind – you are already compromised.

A recent cyber security espionage campaign, uncovered by Mandiant and tied to Chinese threat activity, is not ‘just another’ cyber espionage operation. It represents a huge shift in statecraft behaviour, far more deadly than ransomware, avoiding detection by design. There are no reused indicators of compromise (IOCs), no predictable signatures. Each target receives bespoke payloads, infrastructure, and tooling, which is hidden in the seams of your tech architecture, and communicates through trusted cloud platforms.

They operate in the ether, using in-memory execution with precise anti-forensics clean-up and leave without a trace. This renders most existing threat intelligence investments operationally irrelevant. Many victims will never know they were compromised unless they conduct deep memory forensics or observe side-channel behavioural anomalies.

More alarmingly, this threat compromises your trust architecture, not just your tech stack. It uses indirect access through your supply chain, SaaS vendors, MSSPs to gain access to high-value targets. This isn’t a perimeter breach – it’s a supply chain infiltration, where your trusted partner’s access becomes your exposure.

Multi-factor Authentication (MFA) won’t save you either. The threat group has exploited weak identity architectures, bypassing controls through Single Sign-On (SSO) misconfigurations, legacy systems, and forgotten test environments.

Recommendations for security teams to stay ahead of this threat

• Conduct compromise assessments, looking for behavioural anomalies, identity misuse, and lateral movement across non-traditional vectors. Assume forensic traces are wiped.
• Prioritise Zero-trust. Re-audit all SSO, MFA, and OAuth implementations. Find and remove your legacy and test environments.
• Map and monitor your extended supply chain. This includes vendors, trusted partners, MSSPs, and any third party with access to your systems or data. Continuous third-party ‘threat modelling’ is now operationally critical.
• Re-evaluate exfiltration detection strategies. Don’t whitelist cloud services without inspection. Use behavioural baselining to flag anomalous data flows over trusted channels.
• Implement memory forensics readiness. Ensure your incident response and recovery plans include live memory capture, especially in cloud or virtual environments where disk evidence is transient.
• Assume your environment is already compromised and hunt for patterns of long-term persistence, credential abuse, and infrastructure impersonation.
• Educate your C-suite on surviving post-compromise. The goal isn’t just to steal your data – the bad guys are positioning for future control, espionage, or infrastructure hijack.

What executives should ask their CISO

CEOs should have a handle on enterprise risk for their organisation, and its supply chain, this includes the increasing complex cyber risk.  It’s no longer enough to just warn of potential disruption due to a cyber-attack, and log cyber risk in an annual report. Executives must have the courage and make the time to challenge security leaders for concreate answers to some of the most difficult questions, that underpin business resilience today.

“Can we always detect malicious activity through our connected supply chains, that doesn’t rely on known malware or existing threat indicators?”

If the answer is no, you’re blind to this advanced threat.

“How are we monitoring SaaS vendors (Salesforce, Gmail, Adobe, M365 etc.) inside our trusted supply chain, and/or Managed Security Partners (MSSPs)?”

Third-party supply chain risk isn’t theoretical. It’s the new front line.

"Are we doing deep forensics and live compromise assessments?”

This is the only way to detect actors like Brickstorm once they’re in.

“Do we have real-time sensors investigating traffic to trusted cloud services like Gmail, Salesforce, or Microsoft OneDrive?”

Adversaries are hiding inside allowed, trusted traffic.

“How long would it take us to detect an espionage attack if they were already here?”

Average dwell time for espionage attacks is 400+ days. That’s over a year of invisible access

“What assumptions are we making that these adversaries are actively exploiting?”

Good security begins with challenging internal blind spots and blindsided thinking.

“Is our identity infrastructure hardened, audited, and tested, including our test and legacy systems?”

Weak or misconfigured SSO/MFA tech and processes, both internally and in your supply chain, are often the entry point.

“What’s our plan if the attacker isn’t stealing data but using us as a launchpad?”

Many organisations don’t realise they’ve become part of a broader attack chain.

You don’t need to know how to reverse engineer malware, but you do need to understand that these actors are not just breaching your systems – they’re embedding in your business model. If you’re not actively challenging your cyber leadership to detect the silent, strategic adversary, you’re funding your own compromise.