Sophos has today released “Pacific Rim,” a report detailing its defensive and counter-offensive operation over the last five years with multiple interlinked nation-state adversaries based in China targeting perimeter devices, including Sophos Firewalls. According to the report, the attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well as overlapping tactics, tools and procedures [TTPs] with well-known Chinese nation-state groups including Volt Typhoon, APT31 and APT41. The adversaries targeted both small and large critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries. Throughout Pacific Rim, Sophos X-Ops, the company’s cybersecurity and threat intelligence unit, worked to neutralize the adversaries’ moves and continuously evolved defenses and counter-offensives. After Sophos successfully responded to the initial attacks, the adversaries escalated their efforts and brought in more experienced operators. Sophos subsequently uncovered a vast adversarial ecosystem. While Sophos released details starting in 2020 on the campaigns associated, including Cloud Snooper and Asnarök, the company is sharing the overall investigation analysis to raise awareness of the persistence of Chinese nation-state adversaries and their hyperfocus to compromise perimeter, unpatched and end-of-life [EOL] devices, often via zero-day exploits they are creating for those devices. ‘ Sophos is also encouraging all organizations to urgently apply patches for vulnerabilities discovered in any of their internet-facing devices and to migrate any older unsupported devices to current models. Sophos regularly updates all of its supported products based on new threats and indicators of compromise [IoCs] to protect customers. Sophos Firewall customers are protected via rapid hotfixes that are now turned on by default. “The reality is that edge devices have become highly attractive targets for Chinese nation-state groups like Volt Typhoon and others as they look to build operational relay boxes [ORBs] to obfuscate and support their activity. This includes directly targeting an espionage organization, or indirectly leveraging any weak points for onward attacks – essentially becoming collateral damage. Even organizations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes – they are powerful, always on, and have constant connectivity,” said Ross McKerchar, CISO at Sophos. “When a group seeking to build a global network of ORBs targeted some of our devices, we responded by applying the same detection and response techniques we use to defend our corporate endpoints and network devices. This allowed us to burn multiple operations and tap into a valuable stream of threat intelligence that we applied to protect our customers from both future widespread attacks and highly targeted operations.”
“Recent advisories from CISA have made it clear that Chinese nation-state groups have become a perennial threat to nations’ critical infrastructure,” McKerchar continued.
“What we tend to forget is that small- and medium-sized businesses—those that form the bulk of the supply chain for critical infrastructure—are targets since they are often the weak links in this supply chain. Unfortunately, these businesses often have fewer resources to defend against such sophisticated threats. Further complicating matters is the tendency for these adversaries to gain a foothold and dig in, making it hard to evict them. The modus operandi of China-based adversaries is creating long-term persistence and complex obfuscated attacks. They won’t stop until they’re disrupted.”
According to Sophos, organizations should expect all internet-facing devices to be prime targets for nation-state adversaries, especially those devices in critical infrastructure.
Sophos encourages organizations to take the following actions to strengthen their security posture.
• Minimize internet-facing services and devices when possible
• Prioritize patching with urgency for internet-facing devices and monitor these devices
• Enable hotfixes for edge devices to be allowed and applied automatically
• Collaborate with law enforcement, public-private partners, and government to share and act on relevant IoCs
• Create a plan for how your organization deals with EOL devices “We need to work collaboratively across the public and private sector, law enforcement and governments, and the security industry, to share what we know about these adversarial operations. Targeting the very same edge devices that are deployed to protect networks is a bold and clever tactic. Organizations, channel partners and Managed Service Providers need to understand that these devices are top targets for attackers and should ensure they are appropriately hardened, and critical patches are applied as soon as they are released. In fact, we know that attackers are actively hunting for EOL devices. Vendors play a big part here, too. They need to help customers by supporting reliable and well-tested hot fixing, making it easy to upgrade from EOL platforms, systematically refactoring or removing legacy code that can harbor lingering vulnerabilities, continuously improving secure by default designs to offload the customer burden of hardening, and monitoring the integrity of our deployed devices,” concluded McKerchar. Follow us on Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke…Read more by By Staff Writer