Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control

Sophos Discloses Half Decade of Sustained Chinese Attack

Volt Typhoon, APT31 and APT41 Tied to Campaigns Targeting Sophos' Edge Devices
Sophos Discloses Half Decade of Sustained Chinese Attack
Image: Shutterstock

Firewall maker Sophos disclosed Thursday a half-decade worth of efforts by multiple nation-state Chinese hacking groups to infiltrate its appliances, calling the admission a wake-up call for the cybersecurity industry.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

The campaigns offer further evidence that Chinese nation-state hackers draw from a common pool of vulnerabilities, buttressing what's called the "quartermaster" theory positing that a central organization within the Chinese government disseminates exploits to multiple cyberespionage hacking groups.

Sophos dubbed its counteroffensive effort "Pacific Rim," writing that Chinese hacking groups - identified with varying levels of confidence - such as Volt Typhoon, APT31 and APT41 have penetrated Sophos firewalls with overlapping sets of tactics, tools and procedures starting in early 2020.

After a first wave of noisy and widespread but mostly thwarted attacks apparently aimed at converting Sophos appliances into operational relay boxes, Chinese hackers shifted to stealthier operations against high-value critical infrastructure targets largely located in the Indo-Pacific region. Victims included "nuclear energy suppliers and regulators, military, telecoms, state security agencies and central government."

From 2020 onwards, the groups began to exploiting zero-day vulnerabilities in Sophos' products, including a remote-code execution bug, as well as a code injection vulnerability.

Targeting firewall appliances is a known nation-state tactic as hackers have exploited network edge devices' general opacity to cyber defenders, always-on status and trusted position within corporate intranets. "They are valuable assets that can be used for persistence," said Ross McKerchar, Sophos CISO.

In a September 2022 hacking incident spotted alongside Microsoft, Chinese hackers modified a Sophos device at an unnamed "large Asian financial services organization" to act as a backdoor. From there, they used sniffed credentials to pull password data from Active Directory.

Sophos first detected a shift in Chinese attackers' focus on network edge appliances after detecting an attack against Cyberoam, an Indian Sophos subsidiary. In 2020, the cybersecurity vendor coded a "specialized kernel implant" to deploy to devices that Sophos believed were controlled by hostile groups conducting exploit research. The implant allows Sophos to collect files and see logs without the user noticing.

Sophos identified devices used to workshop exploits apparently owned by a Chinese firm called the Sichuan Silence Information Technology. In July 2020, it uncovered a threat actor tracked inside Sophos as "TStark." Telemetry revealed early examples of malicious payloads for a buffer overflow attack on Sophos appliances that had been previously registered by a former researcher at the University of Electronic Science and Technology of China.

Sichuan Silence Information Technology and that university are both located in Chengdu, Sichuan, which is a Chinese hotspot for a burgeoning hacking industry (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).

"Silicon Valley is good for tech. Shenzhen's good for hardware, and Chengdu is good if you want to be a vulnerability researcher," McKerchar told Information Security Media Group.

Exploits developed in Chengdu made their way to multiple cyberespionage groups. "They obviously had the shared knowledge of the exploit, but then after that, their TTPs would vary massively. One group would be very sophisticated, really quiet, really, really high-end. Another one would be blundering around, making lots of noise - but they used the same exploit," McKerchar said.

"Our assessment is they are likely involved in exploit development," he said of Sichuan Silence Information Technology, a company previously linked by Meta to a disinformation campaign.

A Chinese law that took effect in September 2021 requires domestic researchers to disclose vulnerabilities to the government. Multiple Western companies have concluded this requirement is paying dividends for state-connected hacking (see: Chinese State Hackers Level Up Their Abilities: CrowdStrike).

Chinese hackers nonetheless may be trying to squeeze more money out of their research than they can get by reporting it through official government channels. Sophos reported it received a bug bounty report of a critical SQL injection vulnerability just one day before a wave of attacks began that used Asnarök Trojans.

"It would not surprise me if that was a researcher who was playing both sides, who was disclosing vulnerabilities to the PRC, which is the law over there, but also trying to make some money," McKerchar said, referring to the People's Republic of China, the official name of the communist government. One complaint of Chinese hackers revealed through a February leak of internal documents from Chengdu hacking firm iSoon, he noted, was low pay.

Network Edge Devices Can't Go On Like This

McKerchar said Sophos hopes to spark "an industry-wide conversation" about network edge device hacking.

A study published in June by cybersecurity firm Rapid7 found the prevalence of large-scale attacks exploiting network devices nearly doubled last year, driven by an abundance of vulnerabilities to exploit. "We found that 36% of the widely exploited vulnerabilities we tracked occurred within network edge technology. Of those, 60% were zero-day exploits," the report said. "These technologies represent a weak spot in our collective defenses" (see: Surge in Attacks Against Edge and Infrastructure Devices).

One worrying problem among many is that after Sophos hardened its appliances against Chinese attacks, hackers turned their attention to older devices that no longer received patches.

Mid-size companies in particular are inclined to run devices past their "end of life," after support ends. New devices are expensive but software is relentlessly optimized to work on newer, faster hardware - an inexorable treadmill. "If you've got the skills to harden it in the right way, it might be better than no firewall, but if you don't, it might not," McKerchar responded when asked if companies would be better off disposing of an out-of-lifecycle firewall than keeping it connected. "I don't think you can generalize."

Badly secured firewalls are a problem for everyone, he stressed. Sophos now does more at-scale threat hunting on its devices to detect hacking patterns and is abiding by a pledge to develop products with secure design principles, he said. Opening up network devices to third-party scanning isn't a likely solution for now, since "edge devices are very bespoke; a normal EDR agent out of the box would not work on a firewall."

McKerchar added: "We really want to ignite an industry-wide conversation about the best way to approach collective this risk, because it really becomes a systematic risk to the digital ecosystem if we don't."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.