Share this article on:
British security software firm Sophos has revealed that it has been in a digital war with Chinese state-sponsored hackers for over five years.
According to a series of Sophos reports it called Pacific Rim, Chinese advanced persistent threats (APTs) have increasingly targeted edge networking devices of well-known manufacturers at Fortinet, D-Link, NetGear, Cisco, Check Point, and, of course, Sophos, among others.
“For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware,” said Sophos.
“With assistance from other cyber security vendors, governments, and law enforcement agencies, we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti.”
The threat groups aim to exploit defects in the devices to deploy malware payloads, allowing them to exfiltrate credentials, monitor communications or use them as proxy servers for relay attacks.
Sophos said the war with Chinese APTs began when researchers first began researching how to infiltrate network devices after a 2018 attack in Indian Sophos subsidiary Cyberoam.
“On December 4, 2018, analysts on the Sophos SecOps team detected that device performing network scans. A remote access Trojan (RAT) was identified on a low-privilege computer used to drive a wall-mounted video display in the Cyberoam offices,” said Sophos.
“While an initial investigation found malware that suggested a relatively unsophisticated actor, further details changed that assessment. The intrusion included a previously unseen, large, and complex rootkit we dubbed Cloud Snooper, as well as a novel technique to pivot into cloud infrastructure by leveraging a misconfigured Amazon Web Services Systems Manager Agent (SSM Agent).”
Since this point, Sophos said threat actors began developing zero-day vulnerabilities, which were then shared with the Chinese government and state-sponsored actors, as well as vendors.
Sophos said that over the last five years, it has tracked “three key evolving attacker behaviours”, which involve a move to stealthier operations instead of “noisy widespread attacks”, the increased use of living-off-the-land techniques and other persistent stealth techniques and OPSEC improvements such as “sabotaging firewall telemetry collection, impacting detection and response capability, and hampering OSINT research via a reduced digital footprint”.
The Five Eyes alliance earlier this year revealed that Chinese APT Volt Typhoon had managed to remain hidden on US critical infrastructure provider IT networks for at least five years using living-off-the-land techniques.
The advisory, which was published by the US Cybersecurity and Infrastructure Security Agency (CISA), outlined the actions of state-sponsored hacking groups connected to the People’s Republic of China (PRC) in attempting to inject themselves into US critical infrastructure environments and disrupt their operations in the event of a conflict.
“CISA, NSA, FBI [as well as US critical infrastructure agencies and the Five Eyes alliance] … are releasing this advisory to warn critical infrastructure organisations about this assessment, which is based on observations from the US authoring agencies’ incident response activities at critical infrastructure organisations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus),” the release said.