Sophos used custom implants to monitor China-linked thret actors targeting firewall zero-days in a years-long battle.
Sophos revealed a years-long “cat-and-mouse” battle with China-linked threat actors, using custom implants to track the attackers’ activities. Since 2018, Sophos has faced increasingly aggressive campaigns, including the India-based Sophos subsidiary Cyberoam, where attackers exploited a wall-mounted display for initial access.
Sophos published a series of reports named ‘Pacific Rim‘ that includes details about the operations conducted by Chinese hackers against network devices of different vendors worldwide for over 5 years.
Sophos, with the help of other cybersecurity firms, government, and law enforcement agencies investigated the cyber attacks and attributed them multiple China-linked APT groups, such as Volt Typhoon, APT31 and APT41/Winnti.
The cyber spies targeted multiple vendors, including Barracuda, Check Point, Cisco, D-Link, Fortinet, Juniper, NetGear, SonicWall, and Sophos.
The threat actors exploited vulnerabilities in networking devices used by businesses to gain a foothold by installing custom malware. Researchers observed the attackers monitoring network communications and stealing credentials from the victims.
The Chinese hackers have also ramped up the use of zero-day vulnerabilities in targeted devices. Sophos researchers suspect that many of these zero-days were identified by Chinese researchers who share them with vendors as well as the Chinese government.
“Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region.” reads the report published by Sophos. “Consistent with China’s vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling.”
Sophos observed three evolving tactics in China-linked threat actors:
- A shift from noisy attacks to targeted operations on critical Indo-Pacific infrastructure, including nuclear, military, and government sectors.
- Enhanced stealth techniques, such as using living-off-the-land tactics, memory-only Trojans, a multi-vendor rootkit, and an experimental UEFI bootkit.
- Improved operational security, including disrupting firewall telemetry to hinder detection and minimize their digital footprint.
The first documented attack against a Sophos facility is the one that targeted Cyberoam in 2018. Attackers deployed a remote access trojan (RAT) on a display computer, initially suggesting an unsophisticated actor. However, further investigation revealed a complex rootkit, “Cloud Snooper,” and a unique cloud pivoting technique via a misconfigured AWS SSM Agent. Sophos researchers speculate the attack was part of an intelligence-gathering campaign aimed at developing malware for network devices.
Between 2020 and 2022, attackers launched multiple campaigns to exploit zero-day vulnerabilities in publicly accessible network appliances, focusing on WAN-facing services. Successful exploitation of these vulnerabilities could allow attackers to steal sensitive data, inject firmware payloads, and even reach LAN-connected devices. Sophos identified and publicly disclosed these attacks, including campaigns like Asnarök and “Personal Panda,” while warning vulnerable organizations of the risks. Sophos also found possible links between Chinese researchers, including a research community in Chengdu, and state-sponsored actors, suggesting shared vulnerability research with vendors and Chinese government entities.
Since mid-2022, threat actors shifted to targeted, manual attacks on high-value targets like government agencies, critical infrastructure, R&D, healthcare, and finance. The attackers used stealthy techniques, they employed a custom userland rootkits, the TERMITE in-memory dropper, Trojanized Java files, and an experimental UEFI bootkit on test devices. Attackers maintained persistence through VPN credentials, Active Directory DCSYNC access, and firmware-hooking methods to survive updates. While known CVEs were commonly used for initial access, attackers also utilized valid admin credentials on LAN-facing devices for prolonged access.
The attackers behind these campaigns became increasingly sophisticated in their tactics. They actively worked to evade detection by Sophos by:
- Blocking device telemetry: This prevented Sophos from monitoring the infected devices and detecting malicious activity.
- Sabotaging hotfix mechanisms: They deliberately disrupted the update process on compromised devices, making it harder to apply security patches.
- Disabling telemetry systems: This further hindered Sophos’ ability to track their activities and identify new tactics.
- Identifying and disabling telemetry on test devices: This demonstrated a high level of technical sophistication and a keen understanding of Sophos’ detection methods.
- These actions significantly improved the attackers’ operational security, making it more difficult for Sophos to track their activities and respond to their attacks.
“Threat actors have carried out these persistent attacks for more than five years. This peek behind the curtain at our past and ongoing investigations into these attacks is the arc of a story we intend to continue telling over time, so long as it doesn’t interfere with or compromise law enforcement investigations in progress.” concludes the report. “The adversaries appear to be well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware. The attacks highlighted in this research demonstrate a level of commitment to malicious activity we have rarely seen in the nearly 40 years of Sophos’ existence as a company.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, China-linked threat actors)