"Inside the Five-Year Battle of a Firewall Provider Against Chinese Hackers Who Hijack Their Devices."

Over the years, it has been an uncomfortable truth in the cybersecurity sector that network security devices sold to protect customers from spies and cybercriminals are often the same machines that those intruders hack to access their targets. Vulnerabilities in "perimeter" devices, such as firewalls and VPN devices, have been repeatedly used by sophisticated hackers to infiltrate the systems that those devices were designed to protect.

Now, a cybersecurity company has revealed the intense and prolonged battle it has fought against a group of hackers seeking to exploit its products. For more than five years, the British firm Sophos engaged in a cat-and-mouse game with a loosely connected team of adversaries that attacked its firewalls. The company even took the extreme step of identifying and monitoring the specific devices on which the hackers were testing their intrusion techniques, watching their work, and tracing this exploitation to a single group of vulnerability researchers in Chengdu, China.

Recently, Sophos documented its half-decade struggle with these Chinese hackers in a report that describes the escalating exchange of attacks and defenses. The company even discreetly installed its own "implants" in the Sophos devices used by the hackers to anticipate and monitor their exploitation attempts. Sophos researchers also managed to obtain from the hackers' test machines a sample of malware known as a "bootkit," designed to hide undetectably in the low-level code of the firewalls used to boot the devices, a trick that had never before been observed in the field.

During this battle, Sophos analysts identified various hacking campaigns that began with a massive and indiscriminate exploitation of its products, but over time became more stealthy and specific, targeting nuclear power providers, regulators, military targets such as a military hospital, telecommunications, government and intelligence agencies, and the airport of a national capital. Most of the targets were in South and East Asia, although a smaller number were identified in Europe, the Middle East, and the United States.

The Sophos report links these multiple hacking campaigns to state-sponsored hacker groups from China, known as APT41, APT31, and Volt Typhoon. The latter, in particular, has sought the ability to disrupt critical infrastructure in the United States, including power grids. However, the company notes that the common thread throughout these efforts is not one of those previously identified groups, but rather a broader network of researchers who appear to have developed hacking techniques and supplied them to Chinese authorities. Sophos connects the development of these exploitations to an academic institute and a contractor, both located near Chengdu: Sichuan Silence Information Technology, linked by Meta to state-sponsored disinformation efforts, and the University of Electronic Science and Technology of China.

Sophos decided to share this story not only to shed light on the research and development chain of hacking in China but also to break the uncomfortable silence in the cybersecurity industry regarding the broader issue of vulnerabilities in security devices that serve as entry points for hackers. In the past year, for example, flaws in cybersecurity products from other vendors, such as Ivanti, Fortinet, Cisco, and Palo Alto, have been exploited in mass hacking campaigns or targeted intrusions. Ross McKerchar, Chief Information Security Officer at Sophos, commented: “This is becoming an open secret. People understand that it's happening, but unfortunately, everyone is silent.”

Sophos's confrontation with the hackers began in 2018 when they discovered a malware infection on a computer in their Ahmedabad, India office. This malware drew attention due to its noisy scanning of the network, and upon further investigation, analysts found that the hackers had already compromised other machines in the Cyberoam network with a more sophisticated rootkit known as CloudSnooper. The company believes this initial intrusion sought to gather information about Sophos products to facilitate future attacks on its customers.

In the spring of 2020, Sophos became aware of widespread campaigns of indiscriminate infections affecting tens of thousands of firewalls around the world, in an apparent attempt to install a Trojan called Asnarök and create what they call "Operational Relay Boxes" or ORBs, essentially a botnet of compromised machines that hackers could use as launch points for other operations. The campaign was surprisingly well-funded, exploiting multiple zero-day vulnerabilities that the hackers had apparently discovered in Sophos devices. Only a mistake in the attempts to clean the malware on a small percentage of the affected machines allowed Sophos to analyze the intrusions and begin studying the attacks targeting its products.