The Federal Bureau of Investigation (FBI) Appeals to the General Public for Assistance in Identifying Chinese Hackers Responsible for Global Cyber Intrusions
The FBI has requested the general public’s aid in identifying the perpetrators behind the global cyber breaches that targeted edge devices and computer networks owned by various corporations and government bodies.
In a statement, the agency remarked on an alleged Advanced Persistent Threat syndicate that utilized malware (CVE-2020-12271) in a series of wide-ranging cyber attacks with the aim of extracting sensitive data from firewalls globally.
Seeking clues on the individuals responsible for these cyber assaults is the main objective for the FBI.
This development occurred following a sequence of publications by cybersecurity provider Sophos that detailed multiple campaigns from 2018 to 2023. These campaigns utilized Sophos’ edge infrastructure appliances to either deploy customized malware or convert them into proxies to avoid detection.
Named Pacific Rim, the malicious activity was orchestrated for surveillance, sabotage, and cyber espionage purposes, traceable back to various Chinese state-backed groups such as APT31, APT41, and Volt Typhoon. The initial attack was recorded in late 2018 when a cyber intrusion targeted Sophos’ Indian branch, Cyberoam.
According to Sophos, the adversaries targeted critical infrastructure and government facilities in South and Southeast Asia, including nuclear power suppliers, an airport in a national capital, a military medical center, state security institutions, and central government ministries.
Several of the subsequent widespread attacks leveraged various zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236. These attacks aimed to compromise devices and deliver payloads to both firmware and devices within the organization’s LAN network.
Starting from 2021, the attackers shifted focus towards targeted attacks on specific entities, including government agencies, critical infrastructure, research organizations, healthcare providers, retail businesses, financial institutions, military forces, and public sector entities, mainly in the Asia-Pacific region.
By mid-2022, the threat actors concentrated on gaining deeper access to specific organizations, avoiding detection, and collecting more information by manually executing commands and deploying malware like Asnarök, Gh0st RAT, and Pygmy Goat, a complex backdoor capable of providing persistent remote access to Sophos XG Firewalls and potentially other Linux devices.
The U.K. National Cyber Security Centre (NCSC) stated that Pygmy Goat, a sophisticated yet not revolutionary tool, facilitates convenient interaction with the attacker upon request, blending seamlessly with regular network traffic.
The backdoor, known as a unique rootkit presented as a shared object (“libsophos.so”), was delivered after exploiting CVE-2022-1040. The rootkit was observed in operations between March and April 2022 on a government device and a technical partner, and again in May 2022 on a computer in an Asian military hospital.
It is attributed to a Chinese threat actor internally named Tstark by Sophos, which has links to the University of Electronic Science and Technology of China (UESTC) in Chengdu.
It can “listen and respond to specially crafted ICMP packets, enabling the infected device to establish a SOCKS proxy or a reverse shell back-connection to the attacker’s designated IP address.”.
Sophos revealed that during the early stages of the campaigns, they effectively countered the threat by deploying a specialized kernel implant on devices owned by Chinese threat actors for malicious exploit research purposes. This venture included machines at Sichuan Silence Information Technology’s Double Helix Research Institute, leading to the discovery of a “previously unknown and elusive remote code execution exploit” in July 2020.
Timely follow-up analysis in August 2020 revealed a lower-severity remote code execution vulnerability post-authentication in an operating system component.
Furthermore, Sophos noted a recurring trend in receiving bug bounty reports that were deemed “extremely informative yet suspicious.” These reports, namely CVE-2020-12271 and CVE-2022-1040, were submitted by individuals suspected to have affiliations with research institutions in Chengdu prior to their malicious exploitation.
There is a notable significance in these discoveries, especially in revealing the active exploration and creation of vulnerabilities in the Sichuan area, which are then shared with various Chinese state-sponsored frontline factions having varied aims, resources, and tactics post-exploitation.
Chester Wisniewski pointed out, “While observing with Pacific Rim, we noticed a production line of zero-day exploits that were being developed by educational institutions in Sichuan, China. It seems these exploits were then exchanged with attackers backed by the state, which aligns with a nation’s regulations enforcing such exchanges under their vulnerability-disclosure laws.”
The amplified focus on edge network devices coincides with a risk evaluation from the Canadian Centre for Cyber Security (Cyber Centre), disclosing that more than 20 Canadian government networks have been infiltrated by Chinese state-sponsored hacking groups in the previous four years to promote their strategic, economic, and diplomatic agendas.
The report also accused Chinese threat operatives of targeting the private sector to obtain an edge by acquiring confidential and proprietary data while supporting missions of “transnational repression” that aim at impacting Uyghurs, Tibetans, pro-democracy advocates, and backers of Taiwanese independence.
According to the statement, Chinese cyber threat actors have “penetrated and upheld access to multiple government networks in the last five years, gaining communications and other valuable intel, sending email communications with tracing images to recipients for network surveys.”
About Author
