Sophos disclosed today a series of reports dubbed “Pacific Rim” that detail how the cybersecurity company has been sparring with Chinese threat actors for over 5 years as they increasingly targeted networking devices worldwide, including those from Sophos.

For years, cybersecurity firms have warned enterprises that Chinese threat actors exploit flaws in edge networking devices to install custom malware that allows them to monitor network communications, steal credentials, or act as proxy servers for relayed attacks. 

These attacks have targeted well-known manufacturers, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, Sophos, and many more.

Sophos has attributed this activity to multiple Chinese threat actors, known as Volt Typhoon, APT31, and APT41/Winnti, all of which have been known to target networking devices in the past.

“For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware,” Sophos explains in a report that outlines the activity.

“With assistance from other cybersecurity vendors, governments, and law enforcement agencies we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti.”

Sophos says they started sparring with the threat actors in 2018 when they targeted the headquarters of Cyberoam, an India-based Sophos subsidiary. The researchers believe this is when the threat actors began researching attacks on network devices.

Since then, the threat actors increasingly used zero-day and known vulnerabilities to target edge networking devices.

Sophos believes that many of the zero-day vulnerabilities are developed by Chinese researchers who not only share them with vendors, but also the Chinese government and associated state-sponsored threat actors.

Over the years, the Chinese threat actors evolved their tactics to utilize memory-only malware, advanced persistence techniques, and the use of compromised network devices as massive operational relay box (ORBs) proxy networks to evade detection.

While many of these attacks put cybersecurity researchers on the defensive, Sophos also had the opportunity to go on the offensive, planting custom implants on devices that were known to be compromised.

“Hunting through telemetry, X-Ops analysts identified a device which X-Ops concluded, with high confidence, belonged to the Double Helix entity,” explained Sophos.

“After consulting with legal counsel, X-Ops deployed the targeted implant and observed the attacker using vim to write and run a simple Perl script.”

“While of low value, the deployment served as a valuable demonstration of intelligence collection capability by providing near-real-time observability on attacker-controlled devices.”

These implants allowed Sophos to collect valuable data about the threat actors, including a UEFI bootkit that was observed being deployed to a networking device.

This device was purchased by a company based in Chengdu that sent telemetry to an IP address in that region. Sophos says this region has been the epicenter of malicious activity targeting networking devices.

Sophos’ multiple reports are highly detailed, sharing a timeline of events and details about how defenders can protect themselves from attacks.

For those who are interested in the “Pacific Rim” research, you should start here.