For over five years, Sophos has been tracking Chinese-based threat actors that have targeted Sophos firewalls using botnets, innovative exploits, and custom-built malware to gain unauthorized access and disrupt networks.
Through collaborative efforts with cybersecurity providers, governments, and law enforcement agencies, we have successfully attributed specific clusters of observed activity to Volt Storm, APT31, and APT41/Winnti with varying levels of confidence.
Sophos X-Ops has identified with certainty an exploit analysis and improvement exercise conducted in Sichuan. In compliance with China’s vulnerability disclosure regulations, our assessment indicates that the developed exploits were subsequently shared with various state-sponsored entities, each possessing unique objectives, capabilities, and post-exploitation toolsets.
Sophos has identified and tracked three crucial evolving attacker tactics over the specified period.
As we foster collective resilience, we urge various distributors to align with our leadership.
To effectively counter emerging threats, defender’s detection and response methods must adapt to these evolving tactics. To help defenders, Sophos has:
Concentrating solely on Sophos firewalls would be misguided, as numerous other edge devices have also been exploited, with publicly disclosed CVEs serving as proof of this vulnerability’s widespread impact.
Preliminary intrusion and reconnaissance
The sole documented attack on a Sophos facility was actually an assault on its community system, specifically the headquarters of Cyberoam, Sophos’ Indian-based subsidiary. On December 4, 2018, Sophos SecOps’ threat intelligence team identified suspicious community scanning activity emanating from a compromised system. A remote access Trojan (RAT) was detected on a low-privileged PC utilised to manage a wall-mounted video display within the Cyberoam workspaces.
While an initial probe revealed malware targeting a relatively novice attacker, subsequent details revised this assessment. The intrusion involved an unprecedented, sophisticated rootkit that we codenamed …, accompanied by a pioneering tactic to pivot into cloud infrastructure by exploiting a misconfigured Amazon Service Services Manager (SSM) Agent.
While we previously disclosed an assessment of the breach’s details in 2020, we did not initially link the attack to a specific entity or individual at that time.
We can confidently conclude that this was likely a nascent attempt by Chinese hackers to collect intelligence, potentially aimed at enhancing malware capabilities targeting network devices.
Mass assaults
From early 2020 through much of 2022, adversaries dedicated significant resources and efforts to engage in various campaigns aimed at identifying and compromising publicly accessible community devices. The attacker rapidly leveraged a set of newly discovered and previously unexploited vulnerabilities to launch a barrage of attacks against organizations with Wide Area Network (WAN) exposure, targeting companies with publicly accessible networks. The discovered vulnerabilities granted attackers access to stored data on the system, as well as the capability to deploy payloads from within the system’s firmware, and in certain cases, to devices connected to the local area network (LAN) side of the system.
Sophos was soon made aware of such noisy types of attacks once they began. Upon discovery, Sophos opted for an extensive and transparent disclosure, reflected in the array of X-Ops blog posts, conference presentations, and seminars that showcased our analysis and efforts to mitigate each threat effectively?
The report detailing the primary wave in April 2020, which we referred to as Asnarök, was published within a week of the graduation of widespread attacks, and was subsequently updated as the actor behind those assaults shifted their attack pattern.
Sophos conducted targeted outreach efforts towards organisations with outdated systems, cautioning them about the risks of automated botnet attacks on their publicly exposed devices despite lack of subscription to security updates.
Two assaults, Asnarök and “Private Panda”, revealed connections between bug bounty researchers who responsibly disclosed vulnerabilities and tracked adversary groups, as per this report. With medium confidence, X-Ops has identified an analyst group centred around academic institutions in Chengdu. The group is suspected of jointly conducting vulnerability assessments, subsequently sharing the results with relevant Chinese language authorities, as well as private contractors operating on behalf of the government for purposes that may be considered adversarial. Despite this, the comprehensive extent and character of those actions remain inconclusively substantiated.
The discovery of a comprehensive timeline detailing the string of mass assaults on electronic devices awaits readers.
Shifting to stealth
By mid-2022, the attacker had adapted their tactics to highly targeted, focused attacks on specific entities, including government agencies, critical infrastructure operators, research and development organizations, healthcare providers, retail, financial, and defense-related businesses, as well as public sector organizations. Recent cyberattacks have primarily employed a “live adversary” tactic, where attackers manually execute commands and run malicious software on breached devices, rather than relying heavily on automation.
Stealthy persistence techniques have evolved and been employed throughout these attacks, with several notable examples including:
- A sophisticated, highly optimized, fully-featured userland rootkit.
- The termite in-memory dropper allows for covert communication between threat actors by employing a novel approach to exfiltration. By leveraging Windows’ built-in functionality and exploiting vulnerabilities within the operating system, this technique enables attackers to create a hidden connection, essentially turning the target’s computer into an unwitting accomplice.
- Repackaging trusted Java archives with malicious class data poses a significant threat to software integrity.
- A novel UEFI bootkit discovered exclusively on a controlled testing platform.
- Malicious actors obtained legitimate VPN credentials via on-device malware and exploited a vulnerability in the Dynamic Certificate Sync (DCSYNC) protocol.
- Innovative techniques enable seamless integration of firmware upgrades with prolonged lifespan.
The exploitation of known CVEs, as listed above, was the primary initial vector used to deploy the malware, whereas X-Ops also observed instances where legitimate administrative credentials from the LAN side of the system were leveraged for persistence and remote access following initial network penetration via alternative means.
Enhancements in OPSEC
Throughout the duration of the campaigns, the actors demonstrated increasing proficiency in concealing their activities by actively blocking telemetry transmissions to Sophos, thereby evading early detection.
As soon as April 2020, attackers attempted to subvert the hotfix capabilities of devices they had already exploited? Later, the attackers focused on disabling the telemetry system of their tools to prevent Sophos from gaining early notice of their activities?
When the actors discovered that Sophos X-Ops was utilizing telemetry gathering on their own test devices, they took matters into their own hands by blocking this capability.
As the exploitation techniques evolved, so did the operational safety protocols employed by the exploit developers, demonstrating a commitment to responsible and secure coding practices. As a result of X-Ops’ previous encounters, the scope for leveraging open-source intelligence practices has been severely curtailed, necessitating a reassessment of our strategies.
Conclusions
For more than five years, malevolent actors have consistently perpetrated these relentless attacks. As part of our ongoing efforts, we’re providing a glimpse into our investigative process, which will unfold over time, while ensuring that our work does not impede or jeopardize active law enforcement investigations.
The adversaries appear to be highly resourceful individuals with a deep understanding of the system’s firmware architecture, exhibiting exceptional knowledge of its inner workings. In a disturbing display of persistent malicious intent, the attacks showcased in this analysis demonstrate a level of commitment rarely witnessed throughout Sophos’ nearly four decades of operation as a reputable cybersecurity entity.
Sophos X-Ops is more than willing to partner with others and share in-depth IOCs on an as-needed basis. If you have any questions or would like more information about our products and services, please do not hesitate to contact us at pacific_rim@sophos.com.
Please visit our website’s touchdown page for the full story.
Acknowledgments
Sophos recognizes the valuable contributions of ANSSI, Barracuda, Bugcrowd, CERT-In, CISA, Cisco Talos, Digital Shadows (now part of Reliaquest), FBI, Fortinet, JCDC, Mandiant, Microsoft, NCA, NHCTU, NCSC-NL, NCSC-UK, NSA, Palo Alto Networks, Recorded Future, Secureworks, and Volexity to this report or investigations related to it.