In a revealing report, UK cybersecurity firm Sophos has highlighted a prolonged and intricate battle with a group of hackers based in Chengdu, China. This confrontation, which has persisted for over five years, underscores a troubling reality in the cybersecurity landscape: devices that are designed to shield organizations from cyber threats, such as firewalls and VPNs, can often serve as targets for those very same threats. Vulnerabilities in these perimeter security devices have frequently provided entry points for sophisticated cyber adversaries seeking to infiltrate protected systems.
Sophos initially became aware of this ongoing exploitation when an internal security incident in 2018 unveiled malware on a display computer within its Indian subsidiary, Cyberoam. This malware, referred to as CloudSnooper, was causing unusual network activity and led Sophos analysts to discover that further infiltration had already been accomplished on several other machines within the same network. The initial intrusion appeared to be a reconnaissance effort aimed at gathering intelligence about Sophos products, likely to facilitate more extensive attacks on their customers.
By the spring of 2020, Sophos detected a widespread campaign targeting its firewalls, which resulted in the unauthorized installation of a trojan known as Asnarök. This initiative involved the exploitation of several zero-day vulnerabilities within Sophos appliances, allowing attackers to establish what they termed “operational relay boxes” or ORBs— essentially creating a network of compromised devices that could be leveraged for future operations. The sophistication of these attacks indicated significant resources were behind them, with the intruders demonstrating a capability to effectively act on multiple fronts.
The hacking campaigns identified by Sophos were not only indiscriminate but also evolved to become targeted, affecting critical sectors including military installations, telecommunications, and government agencies in South and Southeast Asia, as well as some in Europe, the Middle East, and the United States. The targeted nature of these efforts suggests a strategic intent, potentially linked to state-sponsored activities aimed at disrupting essential services or gathering sensitive information.
Sophos’s analysis ties these attacks to various Chinese state-sponsored hacking groups, including APT41, APT31, and Volt Typhoon, known for their aggressive tactics and focus on critical infrastructure. However, the firm indicates that the orchestration of these exploits stems from a broader network of vulnerability researchers who appear to be providing tools and techniques to state actors. The research community involved includes an academic institution and a private contractor based in Chengdu, which indicates an intertwining of academic work with actionable cyber threat development.
The insights shared by Sophos serve to highlight a critical issue within the cybersecurity industry: the vulnerabilities inherent in security devices that are intended to protect against breaches. Flaws have been identified in security products from multiple vendors that facilitate mass hacking campaigns or targeted intrusions. In the past year alone, vulnerabilities in products from entities such as Ivanti, Fortinet, Cisco, and Palo Alto have been exploited extensively, revealing a pressing need for transparency and proactive measures in cybersecurity.
By coming forward with this detailed narrative, Sophos is not only shedding light on the vulnerabilities in security appliances but is also urging a shift in the cybersecurity discourse—a call for an open acknowledgment of the risks associated with these devices and a more active defense strategy against persistent adversaries. This widespread reckoning with the security apparatus can empower businesses to better prepare for and understand the evolving threat landscape, ultimately fostering a more resilient infrastructure against potential cyberattacks.
In summary, this situation serves as a poignant reminder of the Mahoney ATT&CK matrix’s relevance, particularly in areas of initial access, persistence, and privilege escalation, as the techniques employed by these attackers have significant implications for business owners tasked with safeguarding their organizations.