Nov 01, 2024 20:00:00

Security company Sophos releases report 'Pacific Rim' documenting more than five years of fighting Chinese hackers

Daily reports of hackers from countries such as China, Russia, and North Korea conducting cyber attacks targeting various parts of the world are coming in, and IT companies and security vendors are at the forefront of this battle. On October 31, 2024, security company Sophos released a record of its activities from 2018 to 2023 in response to multiple threat actors based in China.

Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns – Sophos News

https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/

Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats – Sophos News
https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/

In summarizing the report, titled 'Pacific Rim,' Sophos said, 'For more than five years, we have investigated multiple Chinese groups that have been using botnets, novel exploits and custom malware to attack Sophos firewalls.'

Based on the findings of our investigation, conducted in collaboration with government and law enforcement agencies, as well as other security vendors, Sophos is able to attribute these cyber attacks to Bolt Typhoon , APT31 and APT41 (Winnti) with varying levels of confidence, with particular confidence that China's Sichuan province is a hub for exploit research and development.

First attack: 2018
The beginning of this series of attacks was not an attack on a network device, but on the headquarters building of Cyberoam, Sophos' Indian subsidiary.

On December 4, 2018, Sophos security analysts detected a device performing network scans and traced it back to its source, discovering a remote access trojan (RAT) installed on a low-privilege PC used to feed video to a wall-mounted display in Cyberoam's offices.

The attacker, named Cloud Snooper, initially appeared to be using relatively simple methods, but as the investigation progressed it became clear that they were deploying unprecedented large-scale and complex attack methods.

And while the affiliation of Cloud Snooper was unknown at the time, Sophos said it 'now assesses with confidence that this was an initial Chinese effort to gather intelligence for developing malware to target network devices.'

◆ Large-scale: 2020
Chinese hackers have launched multiple campaigns from early 2020 through 2022, and have begun to launch prominent attacks in earnest. One of the major attacks, the 'Asnarök (CVE-2020-12271)' attack in April 2020, led to a major investigation in which

the C2 server of the Asnarök malware was seized in cooperation with the National Cyber ​​Security Center (NCSC), the high-tech crime unit of the Dutch government.

Additionally, Asnarök and another attack later named 'Personal Panda' found links between bug bounty reporters who research and publicly disclose vulnerabilities and hacker organizations.

Given that both are based in Chengdu, the capital of Sichuan province, Sophos speculates with medium confidence that 'there is a research community centered around educational institutions in Chengdu that is sharing vulnerability research results with both security vendors and organizations contracted by the Chinese government to carry out cyber attacks.'

By

May Wong

◆ Transition to stealth: 2022 onwards
Chinese attackers shifted tactics in mid-2022, launching more targeted attacks against specific organizations, including government agencies and infrastructure, research institutes, public organizations, and military-related companies.

These attacks, which utilized a variety of tactics, techniques, and procedures (TTPs) , were not automated but instead featured an 'active adversary' style of attack, in which attackers manually executed commands and carried out attacks on compromised devices.

Chinese attackers have also developed various forms of stealth techniques to evade detection, including memory-only malware, advanced persistence techniques, and the ability to hide compromised network devices behind large-scale proxy networks.

In many of these attacks, Sophos was on the defensive, but in an investigation of Sichuan Silence Information Technology, a Sichuan company involved in information manipulation related to the COVID-19 pandemic , Sophos also found openings to fight back, hacking into attackers' devices and even watching them write code in a text editor.

Summing up its work against the Chinese hackers so far, Sophos said, 'The threat actors have been conducting persistent attacks for more than five years. These attackers appear to be well-resourced, patient and creative, with exceptional knowledge of the firmware's internal architecture. Our research continues to uncover a level of malicious activity rarely seen before, even though Sophos was founded more than 40 years ago.'