Sophos Uncovers China-Based Threats Targeting Pacific Rim Infrastructure: A Five-Year Investigation
For over five years, Sophos has been investigating multiple China-based groups targeting its firewalls, using botnets, novel exploits, and custom malware. With the assistance of other cybersecurity vendors, governments, and law enforcement agencies, Sophos has attributed specific clusters of activity to groups like Volt Typhoon, APT31, and APT41/Winnti. Sophos X-Ops has identified exploit development in Sichuan, China, which was likely shared with various state-sponsored groups.
The attackers’ tactics have evolved significantly over time. Initially, they launched noisy, widespread attacks on perimeter devices, but shifted to stealthier operations against high-value targets in the Indo-Pacific region, including nuclear energy suppliers, military organizations, telecoms, and government agencies. Sophos has observed improved stealth and persistence techniques, such as living-off-the-land tactics, backdoored Java classes, memory-only Trojans, and a previously unknown rootkit. They’ve also sabotaged firewall telemetry and reduced their digital footprint to evade detection.
Sophos X-Ops has tracked the activity from December 2018 to November 2023, with notable attacks including the 2018 Cyberoam intrusion, the Asnarök and Personal Panda campaigns, and the Covert Channels and Under-the-Radar attacks. The attackers have become more skilled at hiding their activities, blocking telemetry, and improving their operational security. Sophos has provided TTPs and IOCs in the detailed timeline and outlined steps to detect and respond to attacks.
Edge devices are high-value targets for state-sponsored adversaries, who use them for initial access and persistence. Defenders should follow vendor hardening guides, enable hotfixes, and monitor vulnerability disclosures. The targeting is not limited to high-value espionage targets; threat actors use edge devices as operational relay boxes to attack other targets and obscure their origin.
Sophos X-Ops has identified three key evolving attacker behaviors:
- Shift in focus: From indiscriminate noisy attacks to stealthier operations against specific high-value and critical infrastructure targets primarily located in the Indo-Pacific region. Victim organizations include nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government.
- Evolution in stealth and persistence: Notable recent TTPs include increased use of living-off-the-land, insertion of backdoored Java classes, memory-only Trojans, a large and previously undisclosed rootkit (with design choices and artifacts indicative of cross-platform multi-vendor capability), and an early experimental version of a UEFI bootkit. Sophos believes this is the first observed instance of bootkit use specifically on a firewall.
- Threat actor OPSEC improvements: Sabotaging firewall telemetry collection, impacting detection and response capability, and hampering OSINT research via a reduced digital footprint.
In response to calls from NCSC-UK and CISA, Sophos aims to transparently highlight the scale and widespread exploitation of edge network devices by state-sponsored adversaries. The company encourages other vendors to follow their lead.
To aid defenders, Sophos has:
- Provided TTPs and IOCs in the appendix of the detailed timeline to help identify detection opportunities
- Outlined the steps it takes to detect and respond to attacks against its customers’ firewalls
- Warned that state-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices
- Recommended closely following vendor device hardening guides to reduce the attack surface and limit exploitability of zero-day vulnerabilities
- Emphasized the importance of enabling hotfixes, monitoring vendor vulnerability disclosure communications, and quickly responding accordingly
- Stressed that state-sponsored targeting is not limited to high-value espionage targets
The adversaries appear to be well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware. The attacks highlighted in this research demonstrate a level of commitment to malicious activity rarely seen in Sophos’ nearly 40-year history.
Sophos X-Ops is happy to collaborate with others and share additional detailed IOCs on a case-by-case basis. The company is committed to continuing to tell this story over time, so long as it doesn’t interfere with or compromise law enforcement investigations in progress.
Citation: Sophos X-Ops. Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats. https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
