Introduction
The cybersecurity landscape has been significantly impacted by ongoing confrontations between Sophos, a leading cybersecurity firm [10], and Chinese state-sponsored hacking groups [10]. These groups, including Volt Typhoon [1] [3] [4] [6] [8] [10] [12], APT31 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], and APT41 [4] [5] [6] [7] [11] [12], have been targeting Sophos and other manufacturers’ firewall appliances and edge networking devices. The attacks have evolved over the years, becoming more sophisticated and targeted, posing a persistent threat to critical infrastructure and high-value organizations worldwide.
Description
Cybersecurity firm Sophos has been engaged in ongoing confrontations with Chinese state-sponsored hackers for over five years [3], focusing on advanced persistent threats (APTs) that target its firewall appliances and other edge networking devices from various manufacturers, including Fortinet [2], Cisco [3] [10], and D-Link. Notable groups involved in these attacks include Volt Typhoon, APT31 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], and APT41 (also known as Winnti) [4]. Over this comprehensive investigation, Sophos has identified specific clusters of activity attributed to these Chinese APT groups. Since early 2020 [12], their tactics have evolved from noisy, indiscriminate attacks aimed at converting Sophos appliances into operational relay boxes (ORBs) to more targeted operations against high-value organizations and critical infrastructure, particularly in the Indo-Pacific region [2] [12], South and Southeast Asia [5] [6] [7] [8] [10] [11], and extending to Europe, the Middle East [10], and the United States [10]. Significant targets have included nuclear energy suppliers, military hospitals [5] [6] [7] [10] [11], telecommunications [3] [9], state security agencies [2] [12], central government organizations [2] [12], and airports [8].
The conflict escalated following a significant incident at Cyberoam, a Sophos subsidiary in India [9], where a remote access Trojan (RAT) was discovered on a low-privilege computer [3], revealing a complex rootkit named Cloud Snooper and a novel technique for pivoting into cloud infrastructure via a misconfigured Amazon Web Services Systems Manager Agent [3]. Sophos has high confidence that exploits developed by these threat actors have been shared among various Chinese state-sponsored groups [1], each with distinct objectives [1], capabilities [1] [2] [3], and post-exploitation tools [1]. Recent analysis indicates that these groups have employed advanced techniques, including living-off-the-land strategies, backdoored Java classes [2], memory-only Trojans [2], and a previously undisclosed rootkit [2], alongside an experimental UEFI bootkit [2]. The hacking campaigns have demonstrated a high level of sophistication, with attackers utilizing unique malware designed to operate undetectably within the low-level code of firewalls. Additionally, these state-sponsored actors have been observed utilizing botnets and bespoke malware to compromise Sophos firewalls and disrupt critical services [9].
In mid-2022 [2], the attackers adopted highly targeted tactics against specific entities [2], emphasizing manual execution over automation. Their operational security has been notably advanced, employing methods to block telemetry and demonstrating a deep understanding of device firmware architecture, reflecting a strong commitment to their malicious activities [2]. These campaigns have utilized novel exploits [6], including zero-day vulnerabilities such as remote-code execution and code injection, and customized malware for purposes such as surveillance [7], sabotage [5] [6] [7] [11], and cyberespionage [5] [6] [7] [11]. This analysis was prompted by requests from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) for greater transparency regarding the exploitation of edge network devices by state-sponsored adversaries [1].
Sophos aims to raise awareness about vulnerabilities in security appliances that can serve as entry points for hackers [10], highlighting recent exploits in products from other vendors such as Ivanti [10], Fortinet [3] [10], Cisco [3] [10], and Palo Alto [10]. Notably, Volt Typhoon has been found infiltrating US critical infrastructure networks [3] [9], particularly targeting power grids [8], with the intent to steal sensitive information and monitor activities. The groups are particularly focused on perimeter devices, including Sophos firewalls [5] [11], and have been known to create operational relay boxes (ORBs) to facilitate their activities [5]. Small- and medium-sized businesses [5] [6] [11], integral to the supply chain of critical infrastructure [5] [11], are especially vulnerable due to limited resources for defense against these sophisticated threats [5] [6].
Since 2021, there has been a notable increase in targeted attacks from these Chinese hacker groups exploiting vulnerabilities in Sophos products [8]. In September 2022 [8], a campaign was identified that exploited a vulnerability in Sophos products [8], affecting military and intelligence agencies in a Southeast Asian nation [8], as well as critical infrastructure like water utilities and electric generation facilities [8]. Another state-sponsored group later exploited a loophole in the patch for that vulnerability to target government agencies outside Asia [8], including an embassy just before a visit from officials of China’s ruling Communist Party [8]. Additional breaches were detected at a nuclear energy regulatory agency [8], a military installation [8], and an airport [8], along with attacks aimed at Tibetan exiles [8]. The collaboration among these groups is believed to involve vulnerability research and sharing findings with entities linked to the Chinese government [9], further complicating the landscape of cyber threats. The Five Eyes alliance has reported that Volt Typhoon has remained undetected on US critical infrastructure networks for at least five years [3], utilizing living-off-the-land techniques [2] [3], underscoring the persistent threat posed by these state-sponsored actors.
Sophos X-Ops has been actively working to neutralize these threats and has implemented rapid hotfixes for its firewall products [11]. The organization has recognized that small- and medium-sized businesses [11], which are integral to the supply chain for critical infrastructure [5] [11], are often the weakest links and thus vulnerable to these sophisticated attacks [11]. The modus operandi of these Chinese adversaries involves long-term persistence and complex [11], obfuscated attack strategies [11], making them difficult to eradicate once they gain access [11]. Sophos’ “Pacific Rim” reports offer in-depth insights and strategies for defense against these threats [4], further enhancing the understanding of the evolving cyber threat landscape.
Conclusion
The persistent threat posed by Chinese state-sponsored hacking groups underscores the critical need for robust cybersecurity measures. Sophos’ efforts to identify and mitigate these threats highlight the importance of collaboration between cybersecurity firms and government agencies. As these adversaries continue to evolve their tactics, it is imperative for organizations to remain vigilant and proactive in securing their networks. The ongoing developments in this cyber conflict will likely shape the future of cybersecurity strategies and policies worldwide.
References
[1] https://www.infosecurity-magazine.com/news/sophos-chinese-hackers-stealthier/
[2] https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
[3] https://www.cyberdaily.au/security/11305-sophos-reveals-5-year-war-with-chinese-state-threat-actors
[4] https://thenimblenerd.com/article/sophos-vs-chinese-hackers-the-5-year-cyber-showdown-you-didnt-see-coming/
[5] https://www.sophos.com/it-it/press/press-releases/2024/10/hunter-versus-spy-sophos-pacific-rim-report-details-its-defensive-and
[6] https://www.helpnetsecurity.com/2024/10/31/sophos-china-defensive-operation/
[7] https://www.sophos.com/en-us/content/pacific-rim
[8] https://itmagazine.com/2024/10/31/inside-the-five-year-battle-how-sophos-is-combatting-chinese-hackers-targeting-its-devices/
[9] https://www.techradar.com/pro/sophos-reveals-how-it-fought-a-network-of-dangerous-chinese-hackers-for-years
[10] https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/
[11] https://finance.yahoo.com/news/hunter-versus-spy-sophos-pacific-125800930.html
[12] https://www.bankinfosecurity.com/sophos-discloses-half-decade-sustained-chinese-attack-a-26698