Most of us don’t think of ourselves or our organizations as nearly interesting enough to be targeted by nation-state threat actors, but like many other security self-assessments, this may be no longer true. As we detailed in our report, “Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats,” China-sponsored attackers have been in an ongoing battle with Sophos over the control of perimeter devices. The attackers’ goals included both targeted and indiscriminate device abuse.
This hostile activity isn’t directed at just one company. We have observed other internet-facing targets under siege, and have linked many of the involved threat actors to attacks on other network security vendors, including on those who provide devices for home and small office use. Understanding why this attack campaign has been a long-term priority for the adversary can help potential targets, once safely away from aggression of this type, see how the old rules for evaluating enterprise risk are changing – and what that means for the road ahead.
A foundational change in pattern
Why would threat actors working for giant nation-states care about small targets? Most security professionals think of their main adversaries as financially motivated criminals such as ransomware gangs, who often seek the lowest-hanging fruit to grab. While those gangs are known for exploiting network devices that have remained unpatched, they mostly don’t possess the talent to repeatedly look for and discover new zero-day exploits to gain entry.
In contrast, with Pacific Rim we observed — with high confidence in our observation and analysis — an assembly line of zero-day exploit development associated with educational institutions in Sichuan, China. These exploits appear to have been shared with state-sponsored attackers, which makes sense for a nation-state that mandates such sharing through their vulnerability-disclosure laws.
Moreover, we saw the attackers refocusing their targeting throughout the years of Pacific Rim. Generally speaking, early attacks seemed designed to affect every device that was vulnerable. As we pushed back harder and harder against their efforts, the adversaries settled into more targeted attacks.
However, that isn’t the whole picture; there was a significant preliminary step prior to the attack-everything phase. As we saw when we dug into these interleaved cases, it isn’t uncommon for attackers such as these to first utilize a high-value zero-day vulnerability in targeted attacks in an unnoticeable way. Once they have achieved their primary goal, or suspect they might be detected, then they unleash the attack against all available devices to create confusion and cover their tracks.
With so many overlapping attacks attempted, depending on what attackers have set their sights on, any device can be useful to them. The attackers involved in Pacific Rim, and others like them, aren’t just after military secrets and intellectual property; they are also seeking to disguise their more high-value efforts, and to confuse those who may seek to stop them. For the purpose of standing up “obfuscation networks” and generally causing trouble, compromising and abusing the greatest possible number of devices suits attackers’ goals well.
(For an example elsewhere in the industry, we can look to the ProxyLogon attack, attributed by Microsoft to a China-based group called HAFNIUM, which appears to have been used in a targeted manner before being unleashed worldwide. HAFNIUM then affected Exchange worldwide servers for years after its early, focused usage.)
With attack goals and patterns evolving, attitudes toward system upkeep must also evolve.
Opt-out is no longer an option
As a target of interest, Sophos deployed a lot of resources to actively defend our platform and expedite not just fixes for flaws, but enhancements to aid in earlier detection and deterrence. Yet, a troubling minority of our customers did not choose to consume these fixes in a timely manner. This series of incidents, and the effect of those customers’ choices on the health of the internet at large, spurred Sophos CEO Joe Levy to call for changes in the current shared-responsibility model of network security device maintenance.
In the mass attacks we observed — those that were indiscriminate and tried to infect every discoverable firewall — the impacts to compromised organizations were threefold. First, they could be used to disguise the attacker’s traffic as a proxy node in a web of compromised devices using the victim’s resources. Second, they provided access to the device itself, allowing for the theft of policies indicating security posture as well as any locally stored credentials. Third, they were a hopping-off point to further attacks from the device itself, which forms the most important part of a network perimeter.
This is not a situation any responsible person or business wants to be in. It’s one reason it is so important to not only accept and apply major product updates that continually improve the robustness of the defenses designed into the architecture of the firewall, but also to allow for the automatic consumption of security hotfixes that are employed to emergency repair security weaknesses being exploited or which need urgent updates to prevent exploitation. Extensive safeguards are employed for hotfixes, and they are kept to an absolute minimum due to their automatic nature. Events in 2024 have made it clear that vendors absolutely must take this responsibility seriously, which includes using caution in the testing and rollout process and as much transparency as possible about what they are doing, but that doesn’t subtract from the need for patches to be applied with all deliberate haste, every time, everywhere.
Authentically important
Another area for our customers and partners to combine efforts is attack-surface minimization. Some of the vulnerabilities targeted in these attacks were in user and administrative portals that were never designed to face the open internet. We strongly recommend exposing the absolute minimum of all types of services to the internet. Those that must be exposed are best secured behind a zero-trust network access (ZTNA) gateway using robust, FIDO2-compliant multifactor authentication (MFA). MFA is fairly old-school advice (we talked about it as such in the early-2024 Active Adversary Report), but it’s Security 101 and it provably minimizes attack surfaces. In Pacific Rim, the attacks moved into a human-operated “active adversary” mode; some of the compromised devices were accessed via stolen credentials, not pre-auth vulnerabilities.
Additionally, once access was gained to a compromised device, some of the attackers would steal locally stored credentials in the hopes that these passwords would be reused on the organizations’ networks. Even when the firewall itself is not part of a single sign-on (SSO) regime, users frequently will use the same password they use for their Entra ID account. This is another reason it is critical that systems cannot simply be accessed with a password, but are authenticated with a second factor such as a machine certificate, token, or app challenge.
This connects back to the patch-your-stuff problem discussed above. For instance, in the case of CVE-2020-15069, while the fix was released on June 25, 2020, we were still observing the attackers compromising firewalls to steal local credentials and establish remote command and control as late as February 18, 2021. Ideally updates are consumed immediately, but if that function is disabled it can present an opportunity for our adversaries long into the future.
Little things mean a lot
One more lesson to take away from our experience is that there is no such thing as an unimportant compromise. Upon initial investigation of what may appear to be unsophisticated tools and techniques, you may uncover an unending caper, with twists and turns that surprise you. While a small computer designed to run a videoconferencing system (the initial entry point for all that followed in Pacific Rim) could have been dismissed and wiped, it ultimately led us to find more activity. The hunt culminated in the discovery of a sophisticated rootkit we dubbed Cloud Snooper, some novel methods to abuse Amazon Web Services (AWS) – and five years of hunt counter-hunt, hunt counter-hunt – or cat-and-mouse-actions.
Unprivileged devices such as that videoconferencing gear are a favorite for adversaries in the modern era as they are often unmonitored, purpose-built, and overpowered. They do something simple like drive a display, yet they have the full computing power of a powerful workstation from only ten years ago. The excess power, plus lack of monitoring and available security software, are the perfect combination to remain hidden, gain persistence, and do research into other more valuable assets. The call is coming from inside the house…
Sometimes bugs come from the supply chain and can be even more difficult to address. Those bugs especially require that defenders treat problems as a shared responsibility. For example, in April 2022 we discovered the attackers were exploiting a previously unknown flaw in OpenSSL, the popular open-source encryption library. We reported it to the OpenSSL team on April 2, 2022; it was assigned CVE-2022-1292 (CVSS base score: 9.8) and fixed on May 3 by the OpenSSL team. As busy as Pacific Rim itself was keeping us by then, there was absolutely no question that we would take the time to notify the OpenSSL team and support their own efforts to patch; it’s just what good community members do.
In that vein, in addition to internal application security testing and reviews, Sophos employs third-party assessments and operates a bug bounty program, the scope (and funding) of which has continued to increase since its launch in December 2017. While these efforts are to some degree preventative, others by their nature are reactive. And again, they require our customers and partners to work with us to apply the fixes promptly or, ideally, to enable emergency fixes to be deployed automatically.
And now?
Those who have read Clifford Stoll’s The Cuckoo’s Egg know well that huge security issues sometimes first manifest as tiny oddities. That book documents perhaps the first-ever case of state-sponsored “hacking,” in the mid-1980s. Sophos has been playing the same cat-and-mouse game Stoll played and won (as much as anyone can win this thing) over 35 years ago, when our company itself was just a few years old. His 75-cent accounting discrepancy is our videoconferencing gear, and what started out small in both cases became a defining experience for those involved. Many of the techniques Stoll used in the Cuckoo’s Egg investigation are still part of the defense toolset today. With the understanding that defenders’ work is truly never done, we choose to use the Pacific Rim experience as a means of re-evaluating and expanding defenders’ abilities to collaborate and improve.
Sophos X-Ops is happy to collaborate with others and share additional detailed IOCs on a case-by-case basis. Contact us via pacific_rim@sophos.com.
For the full story, please see our landing page: Sophos Pacific Rim: Counter-Offensive Against Chinese Cyber Threats.