Sophos has released a report detailing a years-long game of cat and mouse between attacks and defensive operations involving multiple state-backed Chinese cybercrime groups. The focal point of the attacks was on cyber security perimeter devices, including Sophos firewalls. The attackers leveraged a series of campaigns featuring novel exploits and custom malware to embed instruments for surveillance, sabotage, and cyber espionage, which overlapped with tactics, techniques, and procedures (TTPs) employed by known Chinese state-sponsored groups such as APT31 and APT41. The adversaries primarily targeted critical infrastructure and government objectives in South- and Southeast Asia, including nuclear energy suppliers, a state capital’s airport, a military hospital, the state security apparatus, and central ministries.
Across the entire Pacific region, Sophos X-Ops, the cybersecurity and menace intelligence department of the company, worked tirelessly to neutralize enemy movements while continuously developing defense and counteroffensive strategies. After successfully countering initial attacks, the adversaries intensified their efforts and brought in more experienced operators to bolster their operations. As the subsequent dispute unfolded, Sophos discovered a massive, adversary cybercrime ecosystem.
While Sophos has repeatedly published details on individual campaigns from the attack waves since 2020, including and , the company now shares its comprehensive analysis of the past five years to raise awareness about the and their absolute focus on compromising unpatched or end-of-life devices in the network perimeter; often via Zero-Day exploits specifically designed for these devices. Sophos urges all organizations to prioritise patching vulnerabilities found in their web-connected devices with utmost urgency, as well as migrating older, unsupported devices to current models. Sophos regularly updates all supported products based on new threats and indicators of compromise (IoCs) to safeguard customers. Sophos firewall customers are protected by rapid hot fixes that are enabled by default.
According to Ross McKerchar, Sophos’ Chief Information Security Officer, today’s reality is that devices at the network perimeter have become extremely attractive targets for Chinese national-state groups like Volt Storm and others. Attackers conceal and facilitate their attacks through operational relay containers, utilizing compromised Internet of Things devices as examples. At the heart of these activities lies direct espionage or the exploitation of vulnerabilities to launch future attacks with devastating consequences, as organizations originally not targeted are also affected. For businesses, developed network devices are particularly attractive targets for these purposes – they are high-performance, always active and equipped with constant connectivity. As a group aiming to construct a global ORB network, some of our devices were targeted by others. In response, we employed the same recognition and reaction techniques that we use to safeguard our corporate endpoints and network devices. This enabled us to halt the proceedings and access valuable threat intelligence that we leveraged to safeguard our customers.
“Citing the US Cybersecurity and Infrastructure Safety Agency, McKerchar notes that Chinese state-backed groups have become a persistent threat to critical infrastructure across many nations.” What we often forget is that small and medium-sized enterprises, particularly those comprising the majority of the supply chain for critical infrastructure, are targets because they frequently represent the weakest links within this business system. Unfortunately, these organizations often have fewer resources to defend themselves against such complex threats. Moreover, the current adversaries tend to insinuate themselves into systems and operate stealthily within the network. The difficulty lies in detecting and eliminating them – and they won’t stop until they’re interrupted.
Cybersecurity assessments align with Jeff Greene’s perspective as CISA Government Assistant Director for Cybersecurity: “Through the Joint Cyber Protection Collaborative, CISA receives and shares crucial insights into the cybersecurity challenges we face, including advanced tactics and techniques employed by state-sponsored cyber actors.” The domain expertise of partners like Sophos and reports such as Pacific Rim provides the global cybersecurity community with greater insights into the evolving behavioral patterns in the People’s Republic of China. By working side by side, we help cyber defenders understand the scope and widespread exploitation of edge network devices and implement countermeasures. The Computer Emergency Response Team (CERT) continues to warn that certain vulnerability groups, including SQL injections and storage vulnerabilities, remain extensively exploited on a large scale. We urgently call on software developers to harness our Safe-by-Design resources and implement these principles consistently, as exemplified by Sophos’s commitment to this approach.
Companies should anticipate that all devices connected to the web will be prime targets for national adversaries, particularly those in critical infrastructure sectors. To bolster their security posture, Sophos recommends that companies take the following steps:
- Reduce internet-based services and devices to a minimum as possible.
- Prioritize patches for devices connected to the web and monitor these with urgency.
- Enable automatic updates for Edge devices, allowing hotfixes to be accepted and applied seamlessly.
- Develop a comprehensive strategy for handling end-of-life equipment within your organization to ensure responsible and sustainable disposal practices, minimize environmental impact, and maintain compliance with relevant regulations and industry standards.
- Collaborate with law enforcement agencies, public and private partners, as well as government entities to exchange and respond to relevant indicators of compromise (IoCs).
We must collaborate with the public and private sectors, law enforcement agencies, governments, and the security industry to share our knowledge on these hostile operations. Attackers cleverly target perimeter devices designed to safeguard networks. Organisations, partners, and managed service suppliers must be aware that these devices are primary targets for attackers and should ensure they are properly secured, with critical patches applied as soon as they become available. In reality, attackers actively seek out EOL devices. Service providers also play a significant role here. You must assist customers by reliably supporting tested hotfixes, simplify the end-of-life platform upgrade process, systematically refactor or retire legacy code that harbors lingering vulnerabilities, and continuously improve standard secure designs to ensure the integrity of deployed devices is maintained.
The comprehensive report on the Pacific Rim’s rich history, replete with particulars and pivotal milestones, can be found under…
