The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities.
“An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide,” the agency said.
“The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.”
The development comes in the aftermath of a series of reports published by cybersecurity vendor Sophos chronicling a set of campaigns between 2018 and 2023 that exploited its edge infrastructure appliances to deploy custom malware or repurpose them as proxies to evade detection.
The malicious activity, codenamed Pacific Rim and designed to conduct surveillance, sabotage, and cyber espionage, has been attributed to multiple Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest attack dates back to late 2018, when a cyber-attack was aimed at Sophos’ Indian subsidiary Cyberoam.
“The adversaries have targeted both small and large critical infrastructure and government facilities, primarily in South and Southeast Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries,” Sophos said.
Some of the subsequent mass attacks have been identified as leveraging multiple then zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 – to compromise the devices and deliver payloads both to the device firmware and those located within the organization’s LAN network.
“From 2021 onwards the adversaries appeared to shift focus from widespread indiscriminate attacks to highly targeted, ‘hands-on-keyboard’ narrow-focus attacks against specific entities: government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region,” it said.
Beginning mid-2022, the attackers are said to have focused their efforts on gaining deeper access to specific organizations, evading detection, and gathering more information by manually executing commands and deploying malware like Asnarök, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor cable of providing persistent remote access to Sophos XG Firewalls and likely other Linux devices.
“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic,” the U.K. National Cyber Security Centre (NCSC) said.
“The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers.”
The backdoor, a novel rootkit that takes the form of a shared object (“libsophos.so”), has been found to be delivered following the exploitation of CVE-2022-1040. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia.
It has been attributed to be the handiwork of a Chinese threat actor internally tracked by Sophos as Tstark, which shares links to the University of Electronic Science and Technology of China (UESTC) in Chengdu.
It comes with the “ability to listen for and respond to specially crafted ICMP packets, which, if received by an infected device, would open a SOCKS proxy or a reverse shell back-connection to an IP address of the attacker’s choosing.”
Sophos said it countered the campaigns in its early stage by deploying a bespoke kernel implant of its own on devices owned by Chinese threat actors to carry out malicious exploit research, including machines owned by Sichuan Silence Information Technology’s Double Helix Research Institute, thereby gaining visibility into a “previously unknown and stealthy remote code execution exploit” in July 2020.
A follow-up analysis in August 2020 led to the discovery of a lower-severity post-authentication remote code execution vulnerability in an operating system component, the company added.
Furthermore, the Thoma Bravo-owned company said it has observed a pattern of receiving “simultaneously highly helpful yet suspicious” bug bounty reports at least twice (CVE-2020-12271 and CVE-2022-1040) from what it suspects are individuals with ties to Chengdu-based research institutions prior to them being used maliciously.
The findings are significant, not least because they show that active vulnerability research and development activity is being conducted in the Sichuan region, and then passed on to various Chinese state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation techniques.
“With Pacific Rim we observed […] an assembly line of zero-day exploit development associated with educational institutions in Sichuan, China,” Chester Wisniewski said. “These exploits appear to have been shared with state-sponsored attackers, which makes sense for a nation-state that mandates such sharing through their vulnerability-disclosure laws.”
The increased targeting of edge network devices also coincides with a threat assessment from the Canadian Centre for Cyber Security (Cyber Centre) that revealed at least 20 Canadian government networks have been compromised by Chinese state-sponsored hacking crews over the past four years to advance its strategic, economic, and diplomatic interests.
It also accused Chinese threat actors of targeting its private sector to gain a competitive advantage by collecting confidential and proprietary information, alongside supporting “transnational repression” missions that seek to target Uyghurs, Tibetans, pro-democracy activists, and supporters of Taiwanese independence.
Chinese cyber threat actors “have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information,” it said. “The threat actors sent email messages with tracking images to recipients to conduct network reconnaissance.”
