“After we successfully responded to the initial attacks, the adversaries escalated their efforts and brought in more experienced operators. We uncovered a vast adversarial ecosystem.” – Sophos
Sophos, a global leader in cybersecurity solutions, has published “Pacific Rim,” a comprehensive report detailing a five-year campaign to thwart interlinked cyberattacks orchestrated by nation-state adversaries based in China. These sophisticated attackers targeted perimeter devices, including Sophos Firewalls, leveraging novel exploits and customized malware to conduct surveillance, sabotage, and cyberespionage.
The campaigns demonstrated overlapping tactics, tools, and procedures (TTPs) with notorious Chinese nation-state groups such as Volt Typhoon, APT31, and APT41. The attacks primarily targeted critical infrastructure and government organizations across South and Southeast Asia, affecting sectors such as nuclear energy, airports, military hospitals, and central government ministries.
Countering Advanced Threats
Sophos X-Ops, the company’s cybersecurity and threat intelligence unit, led the effort to neutralize these threats, evolving defenses and counter-offensives in real-time. Despite Sophos’ initial successes, the adversaries escalated their operations, deploying more experienced operators and expanding their ecosystem of malicious activities.
While Sophos had previously reported on campaigns like Cloud Snooper and Asnarök starting in 2020, Pacific Rim provides a holistic analysis to emphasize the persistence of Chinese nation-state actors. These groups are known for exploiting perimeter vulnerabilities, particularly unpatched or end-of-life (EOL) devices, often deploying zero-day exploits to achieve their objectives.
The Rising Threat to Edge Devices
Edge devices, including firewalls and other internet-facing infrastructure, have become prime targets for these attackers. Sophos identified these devices as ideal operational relay boxes (ORBs) for obfuscating malicious activity, enabling espionage, or facilitating further attacks.
Ross McKerchar, Chief Information Security Officer at Sophos, stated:
“Edge devices are highly attractive to Chinese nation-state groups like Volt Typhoon because they are powerful, always online, and connected to critical systems. These devices are targeted both for direct attacks and as collateral damage. When our devices became targets, we applied the same robust detection and response techniques we use across all our systems. This not only helped us disrupt their operations but also provided valuable threat intelligence to protect our customers from future attacks.”
Strengthening Defenses
Sophos urges all organizations to immediately apply patches for any vulnerabilities in their internet-facing devices and to upgrade unsupported hardware to current models. To protect customers, Sophos regularly updates its supported products based on new threats and indicators of compromise (IoCs). For Sophos Firewall users, rapid hotfixes—enabled by default—ensure robust defense against emerging threats.
A Call to Action
The Pacific Rim report underscores the importance of proactive cybersecurity measures. Organizations must prioritize patch management, migrate from outdated devices, and deploy advanced detection and response solutions to guard against increasingly sophisticated threats.
As cyberattacks become more targeted and complex, Sophos remains at the forefront of innovation, working to protect businesses from evolving nation-state adversaries and their relentless pursuit of vulnerabilities in global networks.
Highlights of the Report
- On Dec. 4, 2018, a low-privileged computer connected to an overhead display began to scan the Sophos network—seemingly on its own—at the India headquarters of Cyberoam, a company Sophos acquired in 2014. Sophos found a payload quietly listening for specialized inbound internet traffic on the computer that contained a novel type of backdoor and a complex rootkit — “Cloud Snooper.”
- In April 2020, after several organizations reported a user interface pointing to a domain with “Sophos” in its name. Sophos worked with European law enforcement, which tracked down and confiscated the server the adversaries used to deploy malicious payloads in what Sophos later dubbed Asnarök. Sophos neutralized Asnarök, which the company was able to attribute to China, by taking over the malware’s command and control (C2) channel. It also allowed Sophos to neutralize a planned wave of botnet attacks.
- After Asnarök, Sophos advanced its intelligence operations by creating an additional threat actor tracking program focused on identifying and disrupting adversaries looking to exploit Sophos devices deployed in customer environments; the program was built using a combination of open-source intelligence, web analytics, telemetry monitoring, and targeted kernel implants deployed to the attackers’ research devices.
- Next, the attackers showed an increasing level of persistence, upleveling their tactics and deploying increasingly stealthy malware. However, using its threat actor tracking program and enhanced telemetry gathering capabilities, Sophos was able to pre-empt several attacks and obtain a copy of a UEFI bootkit and custom exploits before they could be deployed broadly.
- A few months later, Sophos tracked some of the attacks to an adversary who has demonstrated links to China and Sichuan Silence Information Technology’s Double Helix Research Institute in the country’s Chengdu region.
- In March 2022, an anonymous security researcher reported a zero-day remote code execution vulnerability, designated CVE-2022-1040, to Sophos as part of the company’s bug bounty program. Further investigation revealed that this CVE was already being exploited in the wild in multiple operations—operations that Sophos was then able to stop impacting customers. After deeper analysis, Sophos determined the person reporting the exploit may have had a connection to the adversaries. This was the second time Sophos received a suspiciously timed “tip” about an exploit before it was used maliciously.
“Recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA) underscore the growing threat posed by Chinese nation-state cyber groups to critical infrastructure worldwide,” said Ross McKerchar, CISO at Sophos. “While the focus often falls on large organizations, small- and medium-sized businesses (SMBs)—key links in the critical infrastructure supply chain—are increasingly becoming targets. These businesses often lack the resources to defend against sophisticated attacks, making them vulnerable entry points for adversaries.”
McKerchar highlighted the tenacity of these attackers, stating, “China-based adversaries excel at creating long-term persistence through obfuscated and complex operations. Once they gain a foothold, removing them becomes a daunting task. They will continue their operations until they are decisively disrupted.”
Industry Experts Weigh In on Sophos’ Pacific Rim Report
Sophos’ Pacific Rim report, which reveals a multi-year effort to counter advanced Chinese nation-state cyber campaigns, has drawn praise from industry leaders for its insights and contributions to global cybersecurity.
Jeff Greene, Executive Assistant Director for Cybersecurity, CISA
“Through the Joint Cyber Defense Collaborative (JCDC), CISA collects and shares critical intelligence on cybersecurity threats, including the sophisticated tactics employed by People’s Republic of China (PRC) state-sponsored actors. Sophos’ Pacific Rim report provides invaluable insights into the PRC’s evolving behaviors, enabling cyber defenders worldwide to better understand and mitigate the widespread exploitation of edge network devices.
CISA continues to stress the importance of addressing vulnerabilities like SQL injections and memory safety issues, which are frequently exploited. We encourage software manufacturers to adopt our Secure by Design principles, as Sophos has exemplified in this case. Organizations should take the pledge to implement secure practices and review our alerts to eliminate common vulnerabilities.”
Eric Parizo, Managing Principal Analyst, Omdia
“While many cybersecurity vendors conduct research on adversarial operations, few have succeeded in countering such formidable nation-state actors over an extended period. Sophos’ efforts are extraordinary. They seized a unique opportunity and delivered not only cutting-edge research but actionable insights that will fortify defenses for their customers well into the future.”
Hielke Bontius, Head of Operations, NCSC-NL
“At NCSC-NL, our mission includes sharing information and fostering collaboration between national and international organizations to strengthen cyber resilience. We are pleased to have contributed to Sophos’ investigation. Collaborative efforts like this are essential for addressing the sophisticated challenges posed by nation-state cyber threats.”
A Call to Strengthen Cyber Defenses
Sophos’ Pacific Rim report serves as a reminder of the critical need for robust cybersecurity measures across all sectors. By focusing on vulnerability management, advanced threat detection, and industry collaboration, organizations can better prepare for the persistent and evolving tactics of nation-state adversaries.
Advice for Defenders
Organizations should expect all internet-facing devices are prime targets for nation-state adversaries, especially those devices in critical infrastructure. Sophos encourages organizations to take the following actions to strengthen their security posture.
- Minimize internet-facing services and devices when possible
- Prioritize patching with urgency for internet-facing devices and monitor these devices
- Enable hotfixes for edge devices to be allowed and applied automatically
- Collaborate with law enforcement, public-private partners, and government to share and act on relevant IoCs
- Create a plan for how your organization deals with EOL devices
“We must foster collaboration across the public and private sectors, law enforcement, governments, and the security industry to combat these adversarial operations effectively,” said Ross McKerchar, CISO at Sophos. “The tactic of targeting edge devices, which are designed to safeguard networks, is both bold and strategic. Organizations, channel partners, and Managed Service Providers need to recognize that these devices are prime targets for attackers and must take immediate steps to harden them and apply critical patches as soon as they are released.”
McKerchar emphasized that attackers are actively exploiting end-of-life (EOL) devices, which often lack proper security updates. He urged organizations to prioritize upgrading outdated platforms to minimize vulnerabilities.
“Vendors also play a crucial role in this defense,” McKerchar added. “They must support customers by providing reliable and well-tested hotfixes, simplifying the upgrade process from EOL platforms, and systematically addressing legacy code that may harbor vulnerabilities. Continuous improvements in secure-by-default designs can significantly ease the burden on customers by reducing the need for manual hardening measures. Furthermore, monitoring the integrity of deployed devices is essential to staying ahead of evolving threats.”
By combining proactive measures, such as patching and upgrading devices, with collaborative efforts to share intelligence and best practices, organizations can strengthen their defenses against increasingly sophisticated cyberattacks.
Additional Media Resources for Sophos’ Pacific Rim Report
- To get the full story about Sophos and Pacific Rim go to: www.sophos.com/pacificrim
- Sign up for the Sophos Ask Me Anything Webcast go to: https://events.sophos.com/series/de9923fc-5e85-462f-b650-aaab82a59d57/?cmp=701aJ000006OBWlQAO#Registration
