For years, it has been an inconvenient truth within the cybersecurity industry that network security devices sold to protect customers from spies and cybercriminals are themselves often the machines those intruders hack to gain access to. their objectives. Time and time again, vulnerabilities in “perimeter” devices like firewalls and VPN devices have become footholds for sophisticated hackers attempting to break into the very systems those devices were designed to protect.
Now, a cybersecurity vendor is revealing how hard (and for how long) it has battled a group of hackers who have tried to exploit its products for their own benefit. For more than five years, British cybersecurity company Sophos engaged in a game of cat and mouse with a team of loosely connected adversaries attacking its firewalls. The company went so far as to track and monitor the specific devices on which the hackers were testing their intrusion techniques, keep an eye on the hackers at work, and ultimately trace that focused exploitation effort that spanned years to a single network of vulnerability researchers in Chengdu. , Porcelain.
On Thursday, Sophos chronicled that half-decade war with those Chinese hackers in a report detailing their tit-for-tat escalation. The company even went so far as to discreetly install its own “implants” on Chinese hackers’ Sophos devices to monitor and preempt their attempts to exploit its firewalls. Sophos researchers even finally obtained from the hackers’ test machines a sample of “bootkit” malware designed to hide undetectably in the low-level code of the firewalls used to boot the devices, a trick that has never been used. seen in nature.
In the process, Sophos analysts identified a series of hacking campaigns that had begun with indiscriminate mass exploitation of their products but eventually became more stealthy and targeted, affecting nuclear energy suppliers and regulators, military targets, including a military hospital, telecommunications, government and intelligence agencies. , and the airport of a national capital. While most of the targets (which Sophos declined to identify in further detail) were in South and Southeast Asia, a smaller number were in Europe, the Middle East and the United States.
The Sophos report links those multiple hacking campaigns (with varying levels of trust) to Chinese state-sponsored hacking groups, including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive outfit that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos devices, the company says, is not one of those previously identified hacking groups but a broader network of researchers who appear to have developed hacking techniques and provided them to the Chinese government. Sophos analysts link the development of this exploitation with an academic institute and a contractor, both in Chengdu: Sichuan Silence Information Technology, a company previously linked by Meta to Chinese state disinformation efforts—and the University of Electronic Science and Technology of China.
Sophos says it is telling that story now not only to share a glimpse into China’s hacking research and development process, but also to break the cybersecurity industry’s uncomfortable silence around the broader issue of vulnerabilities in security devices that serve as entry points for hackers. Just last year, for example, flaws in security products from other vendors, including Avanti, Fortinet, Cisco, and Palo Alto, were exploited in mass hacking or targeted intrusion campaigns. “This is becoming an open secret. People understand that this is happening, but unfortunately everyone is zipper,” says Ross McKerchar, chief information security officer at Sophos, imitating running a zipper across his lips. “We are taking a different approach, trying to be very transparent, address this head-on and confront our adversary on the battlefield.”
From a hacked screen to waves of massive intrusion
As Sophos tells it, the company’s long battle against Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a display computer at the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had caught the attention of Sophos due to its noisy network scanning. But when the company’s analysts took a closer look, they discovered that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit than identified as CloudSnooper. In retrospect, the company believes that the initial intrusion was designed to obtain information about Sophos products that would enable subsequent attacks on its customers.
Then, in the spring of 2020, Sophos began learning of a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a Trojan. called asnarök and create what it calls “operational relay boxes,” or ORBs, essentially a botnet of compromised machines that hackers could use as launch points for other operations. The campaign was surprisingly well-resourced and exploited multiple zero-day vulnerabilities that hackers appeared to have discovered on Sophos devices. Only a failure in malware cleanup attempts on a small fraction of affected machines allowed Sophos to analyze the intrusions and begin studying the hackers attacking its products.