In a recent development, Sophos, a leading cybersecurity company, has revealed details of a defensive and counter-offensive operation it conducted over the last five years against multiple nation-state adversaries based in China. These adversaries were targeting perimeter devices, including Sophos Firewalls, in a series of espionage campaigns aimed at conducting surveillance, sabotage, and cyberespionage.
The attackers employed novel exploits and customized malware to embed tools for their malicious activities, with tactics, tools, and procedures overlapping with well-known Chinese nation-state groups such as Volt Typhoon, APT31, and APT41. The targets of these campaigns included critical infrastructure and government entities primarily located in South and South-East Asia, encompassing nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries.
Sophos’s cybersecurity and threat intelligence unit, X-Ops, played a pivotal role in neutralizing the adversaries’ moves and continuously enhancing defenses and counter-offensives. Despite successfully responding to initial attacks, the adversaries escalated their efforts by deploying more experienced operators, leading Sophos to uncover a vast adversarial ecosystem.
One of the key findings of the report highlighted an incident at the India headquarters of Cyberoam, a company acquired by Sophos in 2014, where a low-privileged computer initiated a scan of the network, ultimately revealing a novel backdoor and rootkit known as “Cloud Snooper.” Subsequent investigations and operations led to the exposure and neutralization of Asnarök, another malicious campaign attributed to China, allowing Sophos to thwart planned botnet attacks.
Sophos further advanced its intelligence operations by tracking threat actors and pre-empting several attacks through enhanced telemetry gathering capabilities. The company also collaborated with law enforcement agencies and international partners to share intelligence and mitigate risks posed by Chinese nation-state adversaries targeting edge network devices in critical infrastructure.
The escalating sophistication and persistence of these adversaries underscore the urgent need for organizations to prioritize patching, minimize internet-facing services, enable automatic hotfixes for edge devices, and collaborate with relevant stakeholders to enhance cybersecurity defenses. Vendors are also urged to support customers in upgrading from end-of-life platforms, improving secure default designs, and monitoring device integrity to mitigate vulnerabilities and attacks.
Industry experts, including Ross McKerchar, CISO at Sophos, and Eric Parizo, managing principal analyst at Omdia, have commended Sophos for its extensive research efforts and proactive measures in defending against nation-state adversaries. The collaboration between cybersecurity companies, government agencies, and public-private partnerships is crucial in strengthening cyber resilience and safeguarding critical infrastructure from evolving threats.
Overall, the revelations from Sophos’s defensive operations serve as a stark reminder of the persistent and evolving nature of cyber threats posed by state-sponsored actors, necessitating a collective and proactive response from all stakeholders to secure digital assets and prevent potential disruptions to critical infrastructure.