Inside the Five-Year Battle: How Sophos is Combatting Chinese Hackers Targeting Its Devices

For many years, the cybersecurity domain has grappled with a troubling reality: the very network security tools designed to shield users from spies and cybercriminals often end up being the gateways those adversaries exploit to infiltrate their intended victims. Repeatedly, weaknesses in crucial “perimeter” tools such as firewalls and VPN devices have provided entry points for crafty hackers aiming to breach the very systems those devices were supposed to protect.

Recently, a prominent cybersecurity firm has shed light on the extent and duration of its struggle against a specific group of hackers intent on exploiting its offerings. For over five years, UK-based Sophos has been involved in a prolonged game of cat-and-mouse with an interconnected collective of cyber adversaries targeting its firewalls. The firm took the initiative to track and monitor the precise devices being probed by the hackers, scrutinizing their activities and ultimately linking this extensive campaign of exploitation to a network of vulnerability researchers located in Chengdu, China.

This Thursday, Sophos shared a comprehensive account of its ongoing battle with these Chinese hackers in a report, laying out the back-and-forth conflict they have faced. In a bold move, Sophos even discreetly embedded its own monitoring tools within the hackers’ devices to anticipate their exploitation attempts. The firm’s researchers managed to acquire a piece of “bootkit” malware from the adversaries’ testing systems, which is crafted to remain hidden within the low-level boot code of firewalls— a method not previously encountered in real-world scenarios.

Throughout this endeavor, Sophos experts uncovered a sequence of hacking operations that began with broad exploitation of its products but evolved into more covert, targeted attacks. These included intrusions into nuclear energy providers, military facilities such as a military hospital, telecommunications companies, government and intelligence bodies, as well as the airport serving a national capital. While the majority of affected targets—details of which Sophos chose not to disclose—were positioned in South and Southeast Asia, there were also a smaller number located in Europe, the Middle East, and the United States.

Sophos has released a report linking various hacking campaigns, which vary in confidence levels, to state-sponsored hacking groups in China, including APT41, APT31, and Volt Typhoon. The latter group is known for its aggressive tactics aimed at disrupting critical infrastructure in the US, particularly power grids. Interestingly, Sophos notes that the common thread among these hacking attempts is not one of the previously identified hacker groups, but rather a broader network of researchers who appear to have developed hacking techniques and supplied them to the Chinese government. Analysts from Sophos trace this exploit development back to an academic institute and a contractor in Chengdu, specifically Sichuan Silence Information Technology—a firm that has been previously linked by Meta to Chinese state-sponsored disinformation initiatives—and the University of Electronic Science and Technology of China.

Sophos aims to share this narrative not only to shed light on the pipeline of hacking research and development coming from China but also to address the cybersecurity industry’s hesitance in discussing the vulnerabilities in security appliances that serve as entry points for hackers. Over the past year, there have been numerous instances where security products from various vendors, including Ivanti, Fortinet, Cisco, and Palo Alto, have been exploited in widespread hacking or targeted intrusion campaigns. “This is becoming somewhat of an open secret. People are aware that this is occurring, but unfortunately, everyone is zip,” remarks Sophos’s chief information security officer, Ross McKerchar, mimicking a zipper motion across his lips. “We’re taking a different stance, striving for transparency to confront this issue directly and meet our adversaries on the battlefield.”

According to Sophos, their lengthy confrontation with Chinese hackers began in 2018 when they experienced a security breach. They discovered a malware infection on a device displaying information in the Ahmedabad office of their India-based subsidiary, Cyberoam. This particular malware raised alarms due to its intense scanning of the network. Upon closer examination, Sophos analysts uncovered that the attackers had compromised additional machines within the Cyberoam network using a more sophisticated rootkit they identified as CloudSnooper. In hindsight, the company suspects this initial breach was aimed at gathering intelligence on Sophos products, which would enable further attacks on its clientele.

In the spring of 2020, Sophos became aware of a widespread campaign that involved indiscriminately infecting tens of thousands of firewalls globally, seemingly with the intention of installing a trojan named Asnarök. This operation sought to create what are termed “operational relay boxes” or ORBs—essentially a botnet of compromised devices that hackers could leverage for additional operations. The campaign was remarkably well-funded, exploiting numerous zero-day vulnerabilities that the attackers appeared to have uncovered within Sophos appliances. Interestingly, a flaw in the malware’s cleanup operations on a subset of the affected machines inadvertently provided Sophos with insights to analyze the intrusions and begin investigating the hackers targeting its security products.

As Sophos rolled out patches for its firewalls, the team responsible for threat intelligence and incident response, dubbed X-Ops, began their mission to trace their adversaries. This effort included a “hotfix” aimed at the hackers’ infiltrations, which contained additional code designed to gather more data from users’ devices. This enhanced data collection uncovered that a solitary Sophos device, registered in February 2020 in Chengdu, displayed early signs of modifications reminiscent of the Asnarök malware. “We started to find tiny little indicators of the attack that predated any other activity,” McKerchar stated.

Through the analysis of registration data and download records for the code that Sophos provided to its customers, the X-Ops team eventually pinpointed a small number of machines they suspected were being utilized as test devices by Chinese hackers, who were probing for vulnerabilities and fine-tuning their intrusion methods prior to implementation. Some of these devices appeared to have been acquired by a Chengdu-based firm known as Sichuan Silence Information Technology. Others were linked to an individual operating under the pseudonym TStark, who X-Ops analysts discovered had a connection to the University of Electronic Science and Technology of China, also located in Chengdu.

X-Ops analysts could even monitor individuals utilizing computers and IP addresses associated with the test devices, accessing Sophos’ online resources that outlined the architecture of the firewalls. “We could see them researching us,” McKerchar remarked.

In late April 2020, Dutch authorities collaborated with Sophos to confiscate a server located in the Netherlands that Sophos had tracked as instrumental in the Asnarök infection wave. However, in June of that same year, the hackers executed yet another wave of widespread intrusions, with Sophos discovering that they had markedly simplified their malware to evade detection. Nevertheless, thanks to the expanded data collection from its devices and the intelligence gathered on the Chengdu exploit development group, Sophos was able to detect the malware and release patches for the vulnerabilities exploited by the hackers within a week, also managing to identify a “patient zero” machine where the new malware had first been tested two months earlier.

The following month, X-Ops made its boldest move thus far in combating the effort to exploit its devices. They deployed their own spy implants into the Sophos devices located in Chengdu that were under testing. This move essentially allowed them to hack the hackers, albeit through code added to some installations of their own products that the hackers had managed to obtain. According to Sophos, this preemptive surveillance enabled them to capture critical portions of the hackers’ code, preventing a third wave of attacks. They successfully caught the intrusion after only two of their customers had been affected and released a patch aimed at blocking those attacks, while cleverly obscuring the fix to avoid alerting the hackers to Sophos’ comprehensive understanding of their methods.

“During the first attack, we were on the defensive. For the second, it was a level playing field,” McKerchar states. “But with the third assault, we were proactive.”

Beginning in 2021, Sophos noted a significant rise in targeted assaults from Chinese hacker groups exploiting its products. Many of these attacks were uncovered thanks to Sophos’s monitoring of the Chengdu-based exploit development community. Over the following two years, the hackers continued to seize vulnerabilities in Sophos appliances, launching a wide range of targeted attacks that affected numerous targets across both Asia and the West.

For example, in September 2022, Sophos identified a campaign that leveraged a vulnerability in its products. This breach affected military and intelligence agencies in a Southeast Asian nation, in addition to other critical infrastructure such as water utilities and electric generation facilities in the region. Later, Sophos reported that a different state-sponsored Chinese group seemed to have exploited a loophole in their patch for that vulnerability to attack government agencies outside Asia. Notably, one incident involved hacking an embassy just before it was scheduled to host officials from China’s ruling Communist Party. Sophos also detected breaches at another country’s nuclear energy regulatory agency, a military installation within the same nation, the capital city’s airport, and other hacking events aimed at Tibetan exiles.

“We have just unlocked a vast array of targeted activities, opening a Pandora’s Box of threat intelligence,” McKerchar reveals.

As the hackers’ tools evolved in response to Sophos’ preventative measures, the company’s X-Ops researchers encountered a novel type of malware during surveillance of a test device: a “bootkit.” This malware was designed to infiltrate the low-level code of a Sophos firewall, which initializes the device prior to loading the operating system, making it exceptionally difficult to detect. This marks the first time Sophos believes such a firewall bootkit has been identified.

While X-Ops has never found that bootkit on an actual victim’s machine, Sophos CISO McKerchar suggests it may have been utilized elsewhere without detection. “We certainly tried to hunt for it, and we have some capability to do that,” McKerchar admits. “But I would be presumptuous to claim it has never been deployed in the wild.”

In their efforts to comprehend the motivations behind the Chengdu-based group of hackers who seek vulnerabilities to relay to the Chinese government, the picture has become more complex. Interestingly, researchers who identified these flaws have, on two occasions, also reported them to Sophos via its “bug bounty” program. For example, a researcher from a Chinese IP address reported the specific vulnerability exploited in a hacking campaign right after it was first used. Sophos rewarded the researcher with $20,000 for their discovery.

McKerchar highlights a strange contradiction in the role of Chengdu-based researchers who appear to be supplying intrusion techniques to Chinese state hacking groups while also providing bug bounty reports to Sophos. He suggests that this indicates the loose connections between those discovering vulnerabilities and state hackers exploiting them. “I think this is a security research community which is patriotically aligned with PRC objectives,” he states, referring to the People’s Republic of China. “However, they are not opposed to making some money on the side.”

WIRED reached out for comments regarding Sophos’s report, but contacts at the University of Electronic Science and Technology China did not respond. Sichuan Silence Information Technology could not be contacted and seems to lack a functional website.

Dakota Cary, a researcher at the Atlantic Council—a nonpartisan think tank—points out that Sophos’ timeline detailing its fight against highly adaptable adversaries reveals how successfully China has managed to organize its security research community. They have channeled the discoveries of vulnerabilities to the government. Cary mentions China’s initiatives, such as hacking competitions that serve as a source of intrusion techniques for its offensive hacking operations, alongside 2021 legislation mandating researchers and companies in China to report any hackable vulnerabilities they discover.

Cary notes, “In Sophos’s document, the interconnectedness of that system becomes evident. You can see the culture of these organizations working together or competing for projects and how the government seeks to centralize the collection of vulnerabilities, subsequently distributing those tools to offensive teams. All of this is reflected in their findings.”

Sophos’ report cautions that in the latest development of its ongoing battle with Chinese hackers, there appears to be a shift from discovering new vulnerabilities in firewalls to taking advantage of aging installations of its products that no longer receive updates. According to the company’s CEO, Joe Levy, device owners must remove unsupported “end-of-life” devices, while security vendors need to clearly communicate the end-of-life timelines for these devices to prevent them from becoming unpatched entry points into their networks. Sophos has noted that over a thousand end-of-life devices have been targeted in just the past 18 months.

“The only issue now isn’t the zero-day vulnerability,” Levy explains, referring to the term “zero-day” as a newly identified hackable flaw in software lacking a patch. “The issue is the 365-day vulnerability, or the 1,500-day vulnerability, where devices are online but have been neglected.”

This concern was reinforced by Jeff Greene, assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. He highlighted the danger of Chinese hackers exploiting older, unpatched systems, and the ironic risk of network perimeter devices becoming gateways for hackers. “These edge devices often possess fundamental insecurities, they’re frequently unmanaged after deployment, and they remain unpatched,” Greene points out. “We leave behind a trail of these devices for a long time, all of which attackers are eager to compromise.”

Sophos’ Chief Information Security Officer, McKerchar, emphasized that the company is sharing its five-year struggle with the Chengdu-based hacking network to amplify these warnings and to break the silence surrounding the growing concern that security firms’ own products can introduce vulnerabilities for their clients. “Trust in the industry has significantly declined in recent years. There’s a pervasive skepticism regarding how vendors manage these risks, yet we have relied on silence,” says McKerchar. “We aim to exhibit a degree of vulnerability ourselves, acknowledge our past issues, and recount how we took action.”

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Meta Unveils Ambitious GPU Cluster for Next-Gen Llama AI Models: A Step Towards Unprecedented Performance

Next Article

Exploring the Undead: A Comprehensive Review of Call of Duty: Black Ops 6 Zombies

Related Posts