In the classic iconography of cybercrime, the image of the attacker has evolved from the masked amateur hacker to organised crime groups paralysing hospitals for ransom. But the latest data flowing from the Google Threat Intelligence Group’ s 2025 report points to the birth of a new, much more sophisticated era. It is a time when the traditional ‘bank robbery’ – understood as the theft of personal data or outright theft of funds – is giving way to deeply strategic operations. In this new threat landscape, Operation BRICKSTORM is becoming a symbol of change. The attackers are no longer interested only in the contents of the vault; their targets have become the structural plans of the building itself, the schematics of the alarm systems and the fingerprints of the guards.
Infrastructure as a soft underbelly
For years, the cyber security narrative has centred around human error. Phishing and social engineering were cited as the main infection vectors, shifting the burden of responsibility to employee training and end-user vigilance. However, 2025 brings a brutal verification of these assumptions. Of the documented ninety zero-day vulnerabilities exploited in the past year, almost half – a record 48 per cent – targeted corporate technologies directly.
A particular battleground has become edge devices and network products, which are often a kind of ‘no-man’s land’ in modern IT architecture. These devices, although crucial to business continuity, are rarely equipped with advanced detection and response mechanisms such as EDR systems. For espionage groups, especially those linked to state decision-making centres, they have become an ideal entry point. Exploiting a security vulnerability has now become the most common path of first penetration, overtaking even stolen credentials or social engineering attacks in the statistics.
Strategic Theft: The Anatomy of a BRICKSTORM Operation
Among the many incidents recorded in the autumn of 2025, Operation BRICKSTORM stands out as heralding a new trend in industrial espionage. Attributed to Chinese state actors, the activities were not limited to the routine collection of customer data. Their targeting vector was intellectual property in its purest form: source code and proprietary software documentation.
From a business perspective, such a shift in priorities in attackers is a wake-up call of the highest order. After all, stealing source code is not a one-off loss; it is a process that allows attackers to carry out extremely precise reverse engineering. With an insight into the software architecture, groups such as UNC3886 can identify further vulnerabilities, not yet known to anyone, for future operations. This is a mechanism for building a long-term advantage, in which the victim not only loses their unique know-how, but becomes an unwitting testing ground for the next generation of exploits.
Cascading risks and erosion of market confidence
Source Kd is the foundation of market valuation and a guarantor of customer confidence. BRICKSTORM incidents carry a cascading risk that extends far beyond the walls of the attacked organisation. Once a technology provider loses control of its blueprints, the threat spills over to the entire ecosystem of its customers. The attacked company becomes, in this set-up, ‘patient zero’ in an epidemic of supply chain attacks.
It is worth noting that knowledge of upcoming updates, planned functionalities or specific encryption methods contained in the software documentation allows competitors – or hostile state actors – to completely neutralise a brand’s innovative advantage. Product security thus ceases to be a mere technical issue and becomes an integral part of a market survival strategy. The loss of Intellectual Property is often irreversible, and its effects may only manifest themselves in the financial sheets after several years, when competitors manage to implement solutions based on stolen knowledge.
Commercial zero-day market
An extremely significant element of the landscape described by Google is the change in the authorship structure of attacks. For the first time in the history of observation, more zero-day vulnerabilities were attributed to commercial surveillance software providers than to classic state-sponsored groups. This phenomenon can be called the democratisation of advanced cyber defence. These entities are selling their services to both governments and private customers, drastically lowering the barrier to entry into the world of the most sophisticated hacking operations.
From the point of view of the business decision-maker, this means that the profile of the potential adversary has blurred. The threat no longer flows only from the direction of the big powers, but can be funded by any market player who decides to purchase a ready-made ‘surveillance package’. The increase in financially motivated attacks, including those leading to the use of ransomware, confirms that zero-day vulnerabilities have become a common commodity and their exploitation a standard tool in the arsenal of modern economic crime.
Beyond the limits of the fort
Since the statistics clearly show the ineffectiveness of the traditional perimeter protection approach, a redefinition of security strategy becomes necessary. Focusing on building ever-higher walls around an organisation makes no sense when almost half of all attacks hit the very foundations of these walls – that is, the network infrastructure and VPN devices.
The defence strategy should be based on deep value segmentation. Key resources, such as source code repositories, require isolation beyond standard procedures. It becomes necessary to implement a paradigm of limited trust (Zero Trust) not only at the user level, but above all at the level of machine-to-machine communication processes. Monitoring for anomalies inside the network must become a priority, because it is there, in the silence of edge devices, that attackers such as those in BRICKSTORM operations build their long-term presence.
Arbitrator in the arms race
In the report described, artificial intelligence is emerging as an accelerator of activity on both sides of the barricade. Attackers are using AI to automate the process of finding vulnerabilities and scaling attacks, reducing the time between the publication of a new technology and its first exploitation to almost zero. In this context, traditional vulnerability management, based on cyclical audits, is becoming an anachronism.
The only real answer seems to be the use of AI agent-based systems that proactively and autonomously scour their own infrastructure and source code for bugs before they are spotted by an adversary. The race for security in 2026 therefore becomes largely a technological race to see who can integrate intelligent automation into their processes faster and more efficiently. The human role in this set-up is evolving from that of a security operator to a strategist who sets priorities for autonomous defence systems.
