Many of us don’t perceive ourselves or our institutions as sufficiently captivating to attract attention from state-sponsored threat actors, however, as is often the case with security evaluations, this assumption may now be outdated. As described in our publication, “Pacific Rim: Delving into the Offensive Tactics—The Techniques Employed to Counter China-Based Risks,” nation-sponsored perpetrators from China have been engaged in a continual conflict with Sophos over the domination of perimeter devices. Their objectives ranged from specific to indiscriminate misuse of devices.
This antagonistic behavior is not solely aimed at a single entity. We have witnessed other publicly accessible entities besieged, and have connected many of the implicated threat actors to assaults on other providers of network security solutions, including those serving home and small office environments. Understanding the reasons why this assault campaign has been a sustained concern for the adversary can allow prospective targets, once they are out of harm’s reach of such aggression, to recognize how the traditional standards for assessing business risks are evolving – and what implications lie ahead.
An underlying shift in behavior
Why would operatives for large nation-states be interested in minor targets? Most security experts typically consider their primary adversaries to be financially-driven cybercriminals such as ransomware syndicates, who typically go after the easiest targets available. While these criminal groups are recognized for exploiting unpatched network devices, they usually lack the expertise to consistently identify and exploit new zero-day vulnerabilities to gain unauthorized access.
In contrast, in Pacific Rim, we witnessed — with a high degree of certainty in our observations and analysis — a structured process of zero-day exploit development linked to educational institutions in Sichuan, China. These exploits seem to have been distributed to state-backed perpetrators, a practice that aligns with a nation’s requirement to share such discoveries through their laws on vulnerability disclosure.
Furthermore, we noticed a shift in the targeting strategy of the attackers over the course of the Pacific Rim operations. Initially, the attacks seemed intended to impact any susceptible device. As we intensified our defense against their actions, the adversaries transitioned to more focused attacks.
Nonetheless, this narrative isn’t complete; there was a crucial preparatory phase before the widespread attack phase. Through our examination of these intertwined cases, it was evident that attackers like these often exploit a critical zero-day vulnerability in targeted assaults in a discreet manner. Once they achieve their primary objective or detect potential exposure, they escalate the assault to target all available devices, generating confusion and masking their operations.
Given the multitude of overlapping attempted attacks, any device can serve their purposes, depending on the attackers’ objectives. Those involved in Pacific Rim, and similar campaigns, are not solely interested in military intelligence and proprietary information; they also aim to disguise their more valuable efforts and obscure their activities to impede interference. Compromising and exploiting the largest feasible number of devices is suitable for their obfuscation tactics and disruptive intentions.
(For an example from another sector, we can refer to the ProxyLogon attack, attributed by Microsoft to a Chinese entity named HAFNIUM, which appears to have been executed in a targeted manner before being unleashed globally. HAFNIUM subsequently impacted Exchange servers worldwide for an extended duration following its initial concentrated usage.)
As attack objectives and patterns evolve, approaches towards system maintenance must evolve correspondingly.
Opting out is no more a viable choice
Being a subject of interest, Sophos dedicated significant resources to actively safeguard our platform and expedite not only remedies for vulnerabilities but also enhancements to facilitate early detection and prevention. Nevertheless, a concerning minority of our clients did not promptly apply these remedies. These incidents, and the repercussions of the clients’ decisions on the overall health of the internet, prompted Sophos CEO Joe Levy to advocate for alterations in the prevailing shared-responsibility model of maintaining security for network devices.
In the large-scale attacks we observed — those that were undiscriminating and sought to infiltrate every accessible firewall — the effects on compromised entities were threefold. Firstly, the compromised devices could be exploited to camouflage the attacker’s traffic as it passed through a chain of compromised devices utilizing the victim’s resources. Secondly, they granted access to the device itself, enabling the extraction of security posture policies and locally stored credentials. Thirdly, they served as launch pads for subsequent attacks originating from the device itself, constituting a critical aspect of network perimeter defense.
This is a predicament no responsible individual or organization desires to encounter. That is why it is imperative not only to acknowledge and implement significant product updates that continually enhance the resilience of the defense mechanisms integrated into the firewall’s design, but also to allow for the automatic application of security patches aimed at urgently rectifying exploited security vulnerabilities or vulnerabilities requiring immediate updates to prevent exploitation. Extensive precautions are taken for the deployment of hotfixes, and they are kept to the minimal necessary due to their automated application. The events of 2024 underscore the imperative for vendors to fully recognize this responsibility, which involves exercising caution in the testing and deployment processes, and offering as much clarity as possible regarding their actions, while not detracting from the necessity of promptly applying patches on every occasion, in every situation.
Genuinely significant
Another aspect where our clients and partners can collaborate is in minimizing the attack surface. Some of the vulnerabilities exploited in these attacks existed in user and administrative gateways that were not originally intended for public exposure. We strongly advocate for limiting the exposure of all types of services to the internet to the absolute minimum. If exposure is unavoidable, the services are best secured behind a zero-trust network access (ZTNA) gateway utilizing robust, FIDO2-compliant multifactor authentication (MFA). MFA may seem like conventional advice (we underscored this in the early-2024 Active Adversary Report), but it represents fundamental security principles and demonstrably curtails attack opportunities. In Pacific Rim, the attacks advanced to a human-driven “active adversary” mode; some of the breached devices were accessed using stolen credentials rather than pre-authorization vulnerabilities.
Furthermore, once access to a compromised device was achieved, some attackers resorted to pilfering locally stored credentials in anticipation of those passwords being reused on the organizations’ networks. Even in cases where the firewall is not part of a single sign-on (SSO) structure, users often reuse passwords intended for their Entra ID account. This highlights why it is crucial to ensure that systems necessitate more than just a password for access, but are authenticated using a secondary factor such as a machine certificate, token, or app challenge.
This reiterates the importance of patching your systems regularly for heightened protection
issue discussed previously. Take, for example, in relation to CVE-2020-15069, even though the solution was issued on June 25, 2020, we were noticing attackers breaching firewalls to swipe local credentials and establish remote command and control as recently as February 18, 2021. Ideally, updates should be applied immediately, however, if that feature is turned off, it can create an opening for our foes far into the foreseeable future.
The little things hold great significance
Another point to learn from our encounter is that every compromise holds significance. Upon initial examination of what might seem to be unrefined tools and strategies, you might stumble upon an ongoing adventure, filled with surprises. While a modest computer intended for a video conferencing system (the initial entry point for subsequent events in Pacific Rim) could have been disregarded and erased, it ultimately directed us to discover more activities. The pursuit ended in spotting a complex rootkit we named Cloud Snooper, some innovative methods to exploit Amazon Web Services (AWS) – and five years of back-and-forth surveillance, back-and-forth surveillance – or actions similar to a cat-and-mouse game.
Devices without special privileges such as that video conferencing equipment are favored by adversaries in today’s era as they are frequently unsupervised, purpose-built, and extremely powerful. They carry out a simple task like running a display, yet they possess the entire computing capability of a robust workstation from a mere decade ago. The surplus power, combined with the absence of monitoring and accessible security software, forms the perfect mix to remain concealed, establish persistence, and explore other more valuable resources. The danger is coming from within the residence…
Occasionally, glitches arise from the supply chain and can be even more complex to rectify. Those vulnerabilities particularly call for defenders to view issues as a shared obligation. For instance, in April 2022, we stumbled upon attackers exploiting a hitherto unknown flaw in OpenSSL, the widely used open-source encryption library. We notified the OpenSSL team about it on April 2022; it was designated CVE-2022-1292 (CVSS base score: 9.8) and resolved on May 3 by the OpenSSL team. Despite being totally occupied with Pacific Rim itself, there was absolutely no doubt that we would take the time to inform the OpenSSL team and aid their efforts to patch; it’s what responsible community members do.
In that context, alongside internal application security testing and evaluations, Sophos runs third-party appraisals and manages a bug bounty program, the extent (and financing) of which has been growing since its inception in December 2017. While some of these endeavors are to some degree preemptive, others, inherently, are reactive. And again, they necessitate our customers and collaborators to cooperate with us in applying the solutions promptly or, best case scenario, enabling emergency solutions to be deployed automatically.
What’s next?
Those who are familiar with Clifford Stoll’s The Cuckoo’s Egg are well aware that significant security problems at times surface initially as minor anomalies. That book chronicles probably the first-ever instance of state-sponsored “hacking,” in the mid-1980s. Sophos has been engaged in the same game of strategy that Stoll took part in and succeeded (as much as one can succeed in such a scenario) over three and a half decades ago, at a time when our organization, itself, was only a few years old. His 75-cent financial inconsistency is our video conferencing equipment, and what set off gently in both cases evolved into a crucial experience for those involved. Numerous techniques utilized by Stoll in the Cuckoo’s Egg investigation are still integral to the tools defenders use today. Recognizing that defenders’ job is genuinely never-ending, we opt to utilize the Pacific Rim episode as a technique to reassess and boost defenders’ capacity to work together and enhance.
Sophos X-Ops is eager to collaborate with others and provide additional detailed IOCs on an individual basis. Reach out to us via pacific_rim@sophos.com.
For the whole narrative, please view our landing page: Sophos Pacific Rim: Counter-Offensive Against Chinese Cyber Threats.
About Author
