China-based APTs waged 5-year campaign on Sophos firewalls

Sophos on Thursday unveiled a years-long Chinese nation-state threat campaign against its firewall products as well as the techniques the cybersecurity vendor used to detect and thwart the attacks.

The campaign was disclosed via a research blog post, titled "Pacific Rim: Inside the Counter-Offensive -- The TTPs Used to Neutralize China-Based Threats," that covered Sophos X-Ops' five-year investigation and counter offensive -- dubbed Pacific Rim -- into a cluster of activity. According to the vendor, multiple Chinese state-backed threat groups targeted Sophos firewall appliances with botnets, specialty malware and exploits for both zero-day and previously disclosed vulnerabilities.

Sophos noted in its research that Pacific Rim required the assistance of multiple cybersecurity vendors, governments and law enforcement agencies. There were also multiple threat actors involved. Sophos attributed clusters of activity to multiple Chinese state-sponsored threat groups including APT31; APT41, known as Winnti; and the notorious Volt Typhoon.

Activity was first detected in December of 2018 within the headquarters of India-based Sophos subsidiary Cyberoam Technologies. In this attack, Sophos saw a "low-privilege computer -- one that drove a display mounted on the wall of the Cyberoam office -- conducting network scans." The initial analysis indicated common living-off-the-land techniques and "suggested a relatively unsophisticated actor," Sophos said. However, other tactics, techniques and procedures (TTPs), such as a previously unseen and complex rootkit that Sophos named Cloud Snooper, made it clear that the actor involved was more skilled than initially thought.

"While this was the only incident in which a Sophos facility was targeted directly, it demonstrated an adaptable adversary capable of escalating capability as needed to achieve their objectives," a timeline-focused blog post explained. "For example, the threat actor demonstrated deep knowledge of AWS SSM (a relatively new technology in 2018) and deployed a kernel-level rootkit with stealthy command and control (C2) using ATT&CK technique T1205.002."

More than two years later in 2020, a threat actor, later discovered to be APT31, used a critical SQL injection vulnerability in the WebAdmin of Cyberoam OS, CVE-2020-29574, to target near-end-of-life Cyberoam products.

"The attacker used a zero-day which would later become CVE-2020-29574 to create a new administrator-level user account, named 'cybersupport,' on impacted devices (T1136.001)," the timeline blog read. "Sophos pushed out a hotfix to patch the vulnerability and delete attacker-created accounts. The company conducted outreach with registered owners to advise them either to upgrade their devices or take them out of service entirely."

From 2020 through 2022, Sophos observed Chinese nation-state actors attempt to build out Operational Relay Boxes (ORBs), previously detailed by Google Cloud's Mandiant earlier this year, which are botnet-esque mesh networks made up of virtual private servers as well as internet-connected devices used to obfuscate threat activities.

As detailed in Sophos' Pacific Rim coverage, actors targeted edge devices as well as others with internet-facing web portals. Multiple vulnerabilities and exploits were used during this process, including zero-day SQL injection flaw in Sophos XG Firewalls, tracked as CVE-2020-12271, and critical Sophos XG Firewall buffer overflow flaw, tracked as CVE-2020-15069.

From 2021 onward, relevant threat actors "appeared to shift focus from widespread indiscriminate attacks to highly targeted, 'hands-on-keyboard' narrow-focus attacks against specific entities: government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region."

In one example, threat actors used Sophos Firewall authentication bypass vulnerability CVE-2022-1040 to target a high-level government department and a Tibetan-related target as part of a larger pattern that was "consistent with PRC-based foreign policy objectives."

TTPs and indicators of compromise are available in Sophos' Pacific Rim blogs.

Perhaps one of the most interesting aspects of the activity is that Sophos tracked suspicious activity to firewall devices registered to two Chinese organizations: Sichuan Silence Information Technology's Double Helix Research Institute in Sichuan, China, and the University of Electronic Science and Technology of China in Chengdu.

The implication, which Sophos alluded to in its blog, is that Chinese institutions are conducting exploit research that is then shared with Chinese governmental authorities and used to conduct state-sponsored cyber activities.

"Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region," Sophos wrote. "Consistent with China's vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling."

As part of the Pacific Rim counter-offensive, the Sophos X-Ops team developed a "targeted implant" that was deployed in 2020 to the suspected attacker-controlled devices in China, according to the timeline post. The vendor used the implants to conduct surveillance on threat activity at Double Helix.

Although the nation-state activity was used at least in part for espionage, the blog post states, "State-sponsored targeting is not limited to high-value espionage targets." Edge devices like those produced by Sophos, the vendor said, can be used as ORBs to obfuscate elements of attacks such as attack origin and intention.

Sophos X-Ops further stated, "In a tightly connected digital ecosystem, many organizations form part of a critical infrastructure supply chain and may be targeted by actors seeking to disrupt critical services."

Asked about China's non-espionage intentions, Sophos CISO Ross McKerchar said the Chinese government wants to be in a position to cause damage regardless of whether or not the government acts upon these opportunities.

"When we say state-sponsored targeting is not limited to espionage targets, we are pointing out that China is expanding its playbook beyond espionage to pre-positioning itself inside critical infrastructure -- like telecom, energy grids, military systems, etc. -- to gain strategic leverage over rivals," McKerchar said in an email to TechTarget Editorial. "Additionally, they are using ORBs as gateways to hit critical infrastructure unnoticed and prevent defenders from tracking the source. The main takeaway is that beyond stealing secrets, they want to be in a position to be able to cause as much disruption and chaos as possible up and down the supply chain."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.