Sophos Unveils China-Based Threats In Pacific Cyber Defense
Sophos, a global leader in innovative security solutions for defeating cyberattacks, today released “Pacific Rim,” a report detailing its defensive and counter-offensive operation over the last five years with multiple interlinked nation-state adversaries based in China targeting perimeter devices, including Sophos Firewalls.
The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage, and cyber espionage as well as overlapping tactics, tools, and procedures [TTPs] with well-known Chinese nation-state groups including Volt Typhoon, APT31, and APT41. The adversaries targeted both small and large critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries.
Throughout Pacific Rim, Sophos X-Ops, the company’s cybersecurity and threat intelligence unit, worked to neutralize the adversaries’ moves and continuously evolved defenses and counter-offensives. After Sophos successfully responded to the initial attacks, the adversaries escalated their efforts and brought in more experienced operators. Sophos subsequently uncovered a vast adversarial ecosystem.
While Sophos released details starting in 2020 on the campaigns associated, including Cloud Snooper and Asnarök, the company is sharing the overall investigation analysis to raise awareness of the persistence of Chinese nation-state adversaries and their hyperfocus to compromise perimeter, unpatched, and end-of-life [EOL] devices, often via zero-day exploits they are creating for those devices. Sophos is also encouraging all organizations to urgently apply patches for vulnerabilities discovered in any of their internet-facing devices and to migrate any older unsupported devices to current models. Sophos regularly updates all of its supported products based on new threats and indicators of compromise [IoCs] to protect customers. Sophos Firewall customers are protected via rapid hotfixes that are now turned on by default.
“The reality is that edge devices have become highly attractive targets for Chinese nation-state groups like Volt Typhoon and others as they look to build operational relay boxes [ORBs] to obfuscate and support their activity. This includes directly targeting an espionage organization or indirectly leveraging any weak points for onward attacks – essentially becoming collateral damage. Even organizations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes – they are powerful, always on, and have constant connectivity,” said Ross McKerchar, CISO at Sophos. “When a group seeking to build a global network of ORBs targeted some of our devices, we responded by applying the same detection and response techniques we use to defend our corporate endpoints and network devices. This allowed us to burn multiple operations and tap into a valuable stream of threat intelligence that we applied to protect our customers from both future widespread attacks and highly targeted operations.”
Highlights of the Report
-
On Dec. 4, 2018, a low-privileged computer connected to an overhead display began to scan the Sophos network—seemingly on its own—at the India headquarters of Cyberoam, a company Sophos acquired in 2014. Sophos found a payload quietly listening for specialized inbound internet traffic on the computer that contained a novel type of backdoor and a complex rootkit — “Cloud Snooper.”
-
In April 2020, several organizations reported a user interface pointing to a domain with “Sophos” in its name. Sophos worked with European law enforcement, which tracked down and confiscated the server the adversaries used to deploy malicious payloads in what Sophos later dubbed Asnarök. Sophos neutralized Asnarök, which the company was able to attribute to China, by taking over the malware’s command and control [C2] channel. It also allowed Sophos to neutralize a planned wave of botnet attacks.
-
After Asnarök, Sophos advanced its intelligence operations by creating an additional threat actor tracking program focused on identifying and disrupting adversaries looking to exploit Sophos devices deployed in customer environments; the program was built using a combination of open-source intelligence, web analytics, telemetry monitoring, and targeted kernel implants deployed to the attackers’ research devices.
-
Next, the attackers showed an increasing level of persistence, up-leveling their tactics and deploying increasingly stealthy malware. However, using its threat actor tracking program and enhanced telemetry gathering capabilities, Sophos was able to pre-empt several attacks and obtain a copy of a UEFI bootkit and custom exploits before they could be deployed broadly.
-
A few months later, Sophos tracked some of the attacks to an adversary who had demonstrated links to China and Sichuan Silence Information Technology’s Double Helix Research Institute in the country’s Chengdu region.
-
In March 2022, an anonymous security researcher reported a zero-day remote code execution vulnerability, designated CVE-2022-1040, to Sophos as part of the company’s bug bounty program. Further investigation revealed that this CVE was already being exploited in the wild in multiple operations—operations that Sophos was then able to stop impacting customers. After deeper analysis, Sophos determined the person reporting the exploit may have had a connection to the adversaries. This was the second time Sophos received a suspiciously timed “tip” about an exploit before it was used maliciously.
“Recent advisories from CISA have made it clear that Chinese nation-state groups have become a perennial threat to nations’ critical infrastructure,” McKerchar continued. “What we tend to forget is that small- and medium-sized businesses—those that form the bulk of the supply chain for critical infrastructure—are targets since they are often the weak links in this supply chain. Unfortunately, these businesses often have fewer resources to defend against such sophisticated threats. Further complicating matters is the tendency for these adversaries to gain a foothold and dig in, making it hard to evict them. The modus operandi of China-based adversaries is creating long-term persistence and complex obfuscated attacks. They won’t stop until they’re disrupted.”
Industry Quotes About Sophos’ Pacific Rim Report
“Through the JCDC, CISA obtains and shares crucial intelligence on the cybersecurity challenges we face, including the advanced tactics and techniques used by the People’s Republic of China [PRC] state-sponsored cyber actors. The expertise of partners like Sophos and reports like its Pacific Rim report provides the global cyber community with more insights into the PRC’s evolving behaviors. By working side-by-side, we are helping cyber defenders understand the scale and widespread exploitation of edge network devices and implement mitigation strategies,” said Jeff Greene, executive assistant director for cybersecurity at CISA. “CISA continues to highlight how classes of vulnerabilities, including SQL injections and memory safety vulnerabilities, continue to be exploited en masse. We urge software manufacturers to review our Secure by Design resources and, as Sophos has done in this case, put its principles into practice. We encourage others to take the pledge and to review our alerts on how to eliminate common classes of defects.”
“Many cybersecurity vendors conduct adversarial research operations, but few can successfully do so against such a challenging set of nation-state adversaries for such a long period,” said Eric Parizo, managing principal analyst with the cybersecurity research group at Omdia. “Sophos made the most of a highly unique opportunity, and it should be lauded for delivering research and tactical takeaways that will help better defend its customers now and well into the future.”
“At NCSC-NL, one of our tasks is to share information and connect organizations. Facilitating communication and cooperation between national and international organizations is of great importance to improve cyber resilience. We are happy to have been able to contribute to this investigation with Sophos,” said Hielke Bontius, head of operations, NCSC-NL.
Advice for Defenders
Organizations should expect all internet-facing devices to be prime targets for nation-state adversaries, especially those devices in critical infrastructure. Sophos encourages organizations to take the following actions to strengthen their security posture.
-
Minimize internet-facing services and devices when possible
-
Prioritize patching with urgency for internet-facing devices and monitor these devices
-
Enable hotfixes for edge devices to be allowed and applied automatically
-
Collaborate with law enforcement, public-private partners, and government to share and act on relevant IoCs
-
Create a plan for how your organization deals with EOL devices
“We need to work collaboratively across the public and private sector, law enforcement and governments, and the security industry, to share what we know about these adversarial operations. Targeting the very same edge devices that are deployed to protect networks is a bold and clever tactic. Organizations, channel partners, and Managed Service Providers need to understand that these devices are top targets for attackers and should ensure they are appropriately hardened, and critical patches are applied as soon as they are released. We know that attackers are actively hunting for EOL devices. Vendors play a big part here, too. They need to help customers by supporting reliable and well-tested hot fixing, making it easy to upgrade from EOL platforms, systematically refactoring or removing legacy code that can harbor lingering vulnerabilities, continuously improving secure by default designs to offload the customer burden of hardening, and monitoring the integrity of our deployed devices,” concluded McKerchar.
Read Also: Sophos Acquires SecureWorks, Promises More Products
About Soko Directory Team
Soko Directory is a Financial and Markets digital portal that tracks brands, listed firms on the NSE, SMEs and trend setters in the markets eco-system. Find us on Facebook: facebook.com/SokoDirectory and on Twitter: twitter.com/SokoDirectory
- January 2024 (238)
- February 2024 (227)
- March 2024 (190)
- April 2024 (133)
- May 2024 (157)
- June 2024 (145)
- July 2024 (136)
- August 2024 (154)
- September 2024 (212)
- October 2024 (255)
- November 2024 (196)
- December 2024 (42)
- January 2023 (182)
- February 2023 (203)
- March 2023 (322)
- April 2023 (298)
- May 2023 (268)
- June 2023 (214)
- July 2023 (212)
- August 2023 (257)
- September 2023 (237)
- October 2023 (264)
- November 2023 (286)
- December 2023 (177)
- January 2022 (293)
- February 2022 (329)
- March 2022 (358)
- April 2022 (292)
- May 2022 (271)
- June 2022 (232)
- July 2022 (278)
- August 2022 (253)
- September 2022 (246)
- October 2022 (196)
- November 2022 (232)
- December 2022 (167)
- January 2021 (182)
- February 2021 (227)
- March 2021 (325)
- April 2021 (259)
- May 2021 (285)
- June 2021 (272)
- July 2021 (277)
- August 2021 (232)
- September 2021 (271)
- October 2021 (304)
- November 2021 (364)
- December 2021 (249)
- January 2020 (272)
- February 2020 (310)
- March 2020 (390)
- April 2020 (321)
- May 2020 (335)
- June 2020 (327)
- July 2020 (333)
- August 2020 (276)
- September 2020 (214)
- October 2020 (233)
- November 2020 (242)
- December 2020 (187)
- January 2019 (251)
- February 2019 (215)
- March 2019 (283)
- April 2019 (254)
- May 2019 (269)
- June 2019 (249)
- July 2019 (335)
- August 2019 (293)
- September 2019 (306)
- October 2019 (313)
- November 2019 (362)
- December 2019 (318)
- January 2018 (291)
- February 2018 (213)
- March 2018 (275)
- April 2018 (223)
- May 2018 (235)
- June 2018 (176)
- July 2018 (256)
- August 2018 (247)
- September 2018 (255)
- October 2018 (282)
- November 2018 (282)
- December 2018 (184)
- January 2017 (183)
- February 2017 (194)
- March 2017 (207)
- April 2017 (104)
- May 2017 (169)
- June 2017 (205)
- July 2017 (189)
- August 2017 (195)
- September 2017 (186)
- October 2017 (235)
- November 2017 (253)
- December 2017 (266)
- January 2016 (164)
- February 2016 (165)
- March 2016 (189)
- April 2016 (143)
- May 2016 (245)
- June 2016 (182)
- July 2016 (271)
- August 2016 (247)
- September 2016 (233)
- October 2016 (191)
- November 2016 (243)
- December 2016 (153)
- January 2015 (1)
- February 2015 (4)
- March 2015 (164)
- April 2015 (107)
- May 2015 (116)
- June 2015 (119)
- July 2015 (145)
- August 2015 (157)
- September 2015 (186)
- October 2015 (169)
- November 2015 (173)
- December 2015 (205)
- March 2014 (2)
- March 2013 (10)
- June 2013 (1)
- March 2012 (7)
- April 2012 (15)
- May 2012 (1)
- July 2012 (1)
- August 2012 (4)
- October 2012 (2)
- November 2012 (2)
- December 2012 (1)