Sophos recently released its comprehensive “Pacific Rim” report, exposing a sophisticated web of cyber threats from Chinese state-backed actors targeting critical infrastructure across the Asia-Pacific region.
Over the past five years, Sophos has documented a series of cyber campaigns employing advanced tactics, tools, and procedures (TTPs) linked to high-profile Chinese hacking groups like Volt Typhoon, APT31, and APT41.
These actors have targeted both small and large government organizations, including nuclear energy facilities, military hospitals, and key national infrastructure across South and Southeast Asia.
Sophos Firewalls, along with other perimeter security devices, have been primary targets as Chinese actors attempted to establish surveillance networks and execute cyber-espionage operations.
Escalating Threats and Evolving Defenses
Sophos’ cybersecurity unit, X-Ops, has been integral to the defense against these escalating cyber threats. Following an initial wave of attacks, the attackers intensified their campaigns, drawing in more experienced operatives.
This intensification led Sophos to uncover a vast network of interconnected adversaries. While Sophos has previously disclosed information on specific attack campaigns, such as Cloud Snooper and Asnarök, the “Pacific Rim” report provides a consolidated analysis of Chinese nation-state efforts to exploit vulnerabilities in unpatched and outdated devices, often utilizing zero-day exploits.
Sophos continues to urge organizations to patch vulnerabilities on internet-facing devices, highlighting that hotfixes for Sophos Firewall customers are now enabled by default to mitigate such threats.
Edge Devices as Prime Targets for Chinese Cyber Actors
Ross McKerchar, CISO at Sophos, emphasized the increased vulnerability of edge devices, such as firewalls and routers, which are highly sought-after targets for Chinese state-sponsored groups.
These attackers use network devices as operational relay boxes (ORBs) to camouflage their activities, deploying them for both direct espionage and broader cyber operations.
“Network devices designed for businesses are natural targets for these purposes – they are powerful, always on, and have constant connectivity,” McKerchar noted.
Sophos’ defense strategy has included deploying detection and response techniques on their own devices, allowing them to intercept and terminate numerous hostile operations, reinforcing their threat intelligence to preempt further attacks on their customers.
Key Findings and Timeline of Attacks
The report highlights several notable incidents. In 2018, Sophos detected a novel backdoor malware, known as Cloud Snooper, on a low-privileged computer within the Sophos network in India.
This initial attack showcased the adversaries’ ability to infiltrate networks subtly. In 2020, another attack dubbed Asnarök targeted Sophos using a fake domain, leading Sophos to collaborate with European law enforcement to dismantle the command-and-control network.
Subsequent developments in Sophos’ threat tracking program allowed it to intercept even more stealthy exploits, including a UEFI bootkit and custom malware linked to China’s Sichuan-based Double Helix Research Institute.
The report also details a 2022 attack where Sophos thwarted the use of a zero-day vulnerability, CVE-2022-1040, through a proactive bug bounty program that inadvertently revealed the adversaries’ tactics.
The Persistent Threat of China-Based Cyber Adversaries
McKerchar warns that these Chinese actors pose a significant risk not only to large corporations but also to small and medium-sized businesses in critical infrastructure sectors.
These companies, often limited in cybersecurity resources, have become vulnerable points in global supply chains, particularly as attackers establish long-term persistence within compromised networks.
This behavior is a hallmark of China-based cyber groups, as they prioritize stealth, longevity, and obfuscation in their operations.
McKerchar underscores that “small- and medium-sized businesses… are often the weak links in this supply chain,” thus making them primary targets for these attackers.
Global Cybersecurity Collaboration and Support from Industry Experts
The release of the “Pacific Rim” report has garnered responses from various cybersecurity authorities. Jeff Greene from the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) emphasized the importance of such insights in addressing the challenges presented by PRC-sponsored actors.
Greene called for improved industry standards, particularly concerning edge devices vulnerable to widespread exploits.
He encouraged manufacturers to implement “Secure by Design” principles, a sentiment echoed by other cybersecurity experts. Hielke Bontius from the Dutch National Cyber Security Center (NCSC-NL) acknowledged the role of international collaboration, which was instrumental in facilitating information-sharing during Sophos’ investigation.
Eric Parizo from Omdia’s cybersecurity research group also praised Sophos for its ability to maintain defensive measures against sophisticated nation-state actors over extended periods.
He noted that “Sophos made the most of a highly unique opportunity,” providing valuable research that strengthens the security posture of both its customers and the broader cybersecurity community.
Recommendations for Strengthening Cyber Defenses
The “Pacific Rim” report outlines strategic recommendations for defenders in critical infrastructure sectors. Key among them is minimizing the exposure of internet-facing devices and prioritizing timely patching of vulnerabilities in edge devices.
Sophos also advises enabling hotfixes by default on edge devices and advocates for collaborative cybersecurity efforts involving public and private sectors.
McKerchar stresses the urgency for manufacturers to continuously update device security, including transitioning from end-of-life devices and integrating robust monitoring capabilities to detect threats swiftly.
Tech editor at Tech with Muchiri. I specialize in covering various aspects of technology and reviewing the latest gadgets. If you have any inquiries or wish to contact me, feel free to reach out to me via email: [email protected]
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.