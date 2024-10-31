Executive Summary

For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware.

With assistance from other cybersecurity vendors, governments, and law enforcement agencies we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti.

Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region. Consistent with China’s vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling.

Over the tracked period Sophos has identified three key evolving attacker behaviors:

A shift in focus from indiscriminate noisy widespread attacks (which X-Ops has concluded were failed attempts to build operational relay boxes [ORBs] to aid future targeted attacks) to stealthier operations against specific high-value and critical infrastructure targets primarily located in the Indo-Pacific region. Victim organizations include nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government.

Evolution in stealth and persistence capability. Notable recent TTPs include increased use of living-off-the-land, insertion of backdoored Java classes, memory-only Trojans, a large and previously undisclosed rootkit (with design choices and artifacts indicative of cross-platform multi-vendor capability), and an early experimental version of a UEFI bootkit. X-Ops believe this is the first observed instance of bootkit use specifically on a firewall.

Threat actor OPSEC improvements including sabotaging firewall telemetry collection, impacting detection and response capability, and hampering OSINT research via a reduced digital footprint.

In response to calls from NCSC-UK (as expounded upon by NCSC-UK Chief Technology Officer Ollie Whitehouse) and from CISA (in the agency’s Secure-By-Design best practices article), our goal is to transparently highlight the scale and widespread exploitation of edge network devices by state-sponsored adversaries.

In the interests of our collective resilience, we encourage other vendors to follow our lead.

Table of Contents

Key takeaways for defenders

Edge network devices are high-value targets that well-resourced adversaries use for both initial access and persistence.

Defender’s detection and response strategies need to take this into account. To aid defenders, Sophos has:

Provided TTPs and IOCs in the appendix of the detailed timeline to help defenders identify detection opportunities

Outlined the steps it takes to detect and respond to attacks against its customers’ firewalls

State-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices.

This targeting is not unique to Sophos firewalls; as evidenced by published CVEs, all edge devices are a target.

Closely follow your vendors device hardening guide (Sophos’ is here) to reduce attack surface and limit exploitability of zero-day vulnerabilities, paying particular attention to administrative interfaces

Enable hotfixes, if supported, and implement processes to monitor your vendors’ vulnerability disclosure communications — and quickly respond accordingly

Ensure you are running supported hardware and software for which your vendor is committed to releasing security updates

State-sponsored targeting is not limited to high-value espionage targets.

Threat actors use edge devices as operational relay boxes (ORBs) to attack onward targets and obfuscate the true origin of attacks In a tightly connected digital ecosystem, many organizations form part of a critical infrastructure supply chain and may be targeted by actors seeking to disrupt critical services



Summary timeline

A full timeline of the activity described in this overview report can be found in the technical addendum to this article. Links to relevant parts of the timeline are provided for each of the sections below to provide detailed context.