Sophos recently released its comprehensive “Pacific Rim” report, exposing a sophisticated web of cyber threats from Chinese state-backed actors targeting critical infrastructure across the Asia-Pacific region.
Over the past five years, Sophos has documented a series of cyber campaigns employing advanced tactics, tools, and procedures (TTPs) linked to high-profile Chinese hacking groups like Volt Typhoon, APT31, and APT41.
These actors have targeted both small and large government organizations, including nuclear energy facilities, military hospitals, and key national infrastructure across South and Southeast Asia.
Sophos Firewalls, along with other perimeter security devices, have been primary targets as Chinese actors attempted to establish surveillance networks and execute cyber-espionage operations.
Escalating Threats and Evolving Defenses
Sophos’ cybersecurity unit, X-Ops, has been integral to the defense against these escalating cyber threats. Following an initial wave of attacks, the attackers intensified their campaigns, drawing in more experienced operatives.
This intensification led Sophos to uncover a vast network of interconnected adversaries. While Sophos has previously disclosed information on specific attack campaigns, such as Cloud Snooper and Asnarök, the “Pacific Rim” report provides a consolidated analysis of Chinese nation-state efforts to exploit vulnerabilities in unpatched and outdated devices, often utilizing zero-day exploits.
Also Read: Sophos named a leader in Endpoint Security for midsize businesses by IDC MarketScape
Sophos continues to urge organizations to patch vulnerabilities on internet-facing devices, highlighting that hotfixes for Sophos Firewall customers are now enabled by default to mitigate such threats.
Edge Devices as Prime Targets for Chinese Cyber Actors
Ross McKerchar, CISO at Sophos, emphasized the increased vulnerability of edge devices, such as firewalls and routers, which are highly sought-after targets for Chinese state-sponsored groups.
These attackers use network devices as operational relay boxes (ORBs) to camouflage their activities, deploying them for both direct espionage and broader cyber operations.
“Network devices designed for businesses are natural targets for these purposes – they are powerful, always on, and have constant connectivity,” McKerchar noted.
Sophos’ defense strategy has included deploying detection and response techniques on their own devices, allowing them to intercept and terminate numerous hostile operations, reinforcing their threat intelligence to preempt further attacks on their customers.
Key Findings and Timeline of Attacks
The report highlights several notable incidents. In 2018, Sophos detected a novel backdoor malware, known as Cloud Snooper, on a low-privileged computer within the Sophos network in India.
This initial attack showcased the adversaries’ ability to infiltrate networks subtly. In 2020, another attack dubbed Asnarök targeted Sophos using a fake domain, leading Sophos to collaborate with European law enforcement to dismantle the command-and-control network.
Also Read: How Cloudflare uses lava lamps to strengthen website encryption
Subsequent developments in Sophos’ threat tracking program allowed it to intercept even more stealthy exploits, including a UEFI bootkit and custom malware linked to China’s Sichuan-based Double Helix Research Institute.
The report also details a 2022 attack where Sophos thwarted the use of a zero-day vulnerability, CVE-2022-1040, through a proactive bug bounty program that inadvertently revealed the adversaries’ tactics.
The Persistent Threat of China-Based Cyber Adversaries
McKerchar warns that these Chinese actors pose a significant risk not only to large corporations but also to small and medium-sized businesses in critical infrastructure sectors.
These companies, often limited in cybersecurity resources, have become vulnerable points in global supply chains, particularly as attackers establish long-term persistence within compromised networks.
This behavior is a hallmark of China-based cyber groups, as they prioritize stealth, longevity, and obfuscation in their operations.
McKerchar underscores that “small- and medium-sized businesses… are often the weak links in this supply chain,” thus making them primary targets for these attackers.
Global Cybersecurity Collaboration and Support from Industry Experts
The release of the “Pacific Rim” report has garnered responses from various cybersecurity authorities. Jeff Greene from the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) emphasized the importance of such insights in addressing the challenges presented by PRC-sponsored actors.
Greene called for improved industry standards, particularly concerning edge devices vulnerable to widespread exploits.
He encouraged manufacturers to implement “Secure by Design” principles, a sentiment echoed by other cybersecurity experts. Hielke Bontius from the Dutch National Cyber Security Center (NCSC-NL) acknowledged the role of international collaboration, which was instrumental in facilitating information-sharing during Sophos’ investigation.
Eric Parizo from Omdia’s cybersecurity research group also praised Sophos for its ability to maintain defensive measures against sophisticated nation-state actors over extended periods.
He noted that “Sophos made the most of a highly unique opportunity,” providing valuable research that strengthens the security posture of both its customers and the broader cybersecurity community.
Recommendations for Strengthening Cyber Defenses
The “Pacific Rim” report outlines strategic recommendations for defenders in critical infrastructure sectors. Key among them is minimizing the exposure of internet-facing devices and prioritizing timely patching of vulnerabilities in edge devices.
Sophos also advises enabling hotfixes by default on edge devices and advocates for collaborative cybersecurity efforts involving public and private sectors.
McKerchar stresses the urgency for manufacturers to continuously update device security, including transitioning from end-of-life devices and integrating robust monitoring capabilities to detect threats swiftly.
