Sophos recently revealed a lengthy Chinese nation-state threat campaign that targeted its firewall products, along with the strategies used to identify and counter the attacks. The campaign, known as Pacific Rim, was unveiled through a research blog post titled “Pacific Rim: Inside the Counter-Offensive — The TTPs Used to Neutralize China-Based Threats,” which detailed Sophos X-Ops’ five-year investigation and counter offensive against a cluster of activities.
According to Sophos, multiple Chinese state-sponsored threat groups launched attacks on Sophos firewall appliances using botnets, specialized malware, and exploits for both zero-day vulnerabilities and previously known security flaws. The research conducted by Sophos as part of the Pacific Rim initiative involved collaboration with various cybersecurity vendors, governments, and law enforcement agencies due to the complex nature of the threats. The campaign was attributed to several Chinese state-sponsored threat groups, including APT31, APT41 (Winnti), and the infamous Volt Typhoon.
The initial signs of activity were detected in December 2018 within the headquarters of Cyberoam Technologies, a subsidiary of Sophos based in India. The attackers were observed using low-privilege computers for network scans, initially indicating unsophisticated actors. However, further analysis uncovered sophisticated tactics, such as the deployment of a previously unseen rootkit named Cloud Snooper, showcasing the adversaries’ advanced skills.
Over the course of the campaign, threat actors targeted specific entities, shifting from widespread attacks to highly targeted strikes against entities such as government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region. The attackers exploited various vulnerabilities in Sophos products, including SQL injection flaws and buffer overflow vulnerabilities.
One notable aspect of the campaign was the discovery of suspicious activity linked to firewall devices registered to Chinese organizations, indicating potential research and development activities shared with Chinese governmental authorities. Sophos highlighted the development of a targeted implant deployed in 2020 to surveil suspected attacker-controlled devices in China, shedding light on China’s expanding playbook beyond espionage to pre-position within critical infrastructure.
Regarding China’s intent beyond espionage, Sophos CISO Ross McKerchar emphasized that the Chinese government aims to position itself for potential disruption and chaos in critical infrastructure, beyond just stealing secrets. By embedding ORBs in edge devices, attackers can mask the origin and intentions of their attacks, posing significant risks to the supply chain and critical services.
In conclusion, the Pacific Rim campaign conducted by Sophos paints a concerning picture of the evolving tactics employed by Chinese state-sponsored threat groups in cyberspace. The collaborative efforts of Sophos X-Ops and other stakeholders shed light on the sophistication and persistence of these threat actors, highlighting the need for enhanced cybersecurity measures to protect critical infrastructure and mitigate the risks posed by such sophisticated attacks.