Sophos reveals details of a five-year defensive operation against state-sponsored Chinese groups that attack edge devices, including Sophos firewalls. These groups have exploited security flaws and used specially designed malware for spying activities and sabotage of critical infrastructure. As Sophos experts indicate, the investigated criminal groups used tactics of long-term presence in the victims’ environment and conducting sophisticated, hidden attacks.
Thanks to defensive actions taken, the Sophos X-Ops analyst team neutralized the first attacks, which prompted the opponents to escalate their actions and involve more experienced operators. As a result of the five-year operation, the experts responsible for cybersecurity and threat analysis uncovered an extensive ecosystem of cybercriminals using tactics and techniques attributed to Chinese groups such as Volt Typhoon, APT31 and APT41. The attacks were mainly targeted at critical infrastructure and government institutions in South and Southeast Asia, including nuclear power suppliers, capital airport, military hospital, security services.
When the group attacked some of Sophos’ devices, its specialists used the same detection and response techniques with which end devices and corporate network environments of customers are protected. This action helped to thwart many operations and use the threat information collected to develop protection against further broad-based and targeted attacks.
The report “Pacific Rim” indicates that state-sponsored Chinese cybercriminal groups attack edge devices that have security loopholes and those that are no longer supported by manufacturers. Therefore, Sophos experts emphasize in the report the importance of regularly updating software and the need for continuous monitoring of IT systems for errors and “open backdoors”.
“Edge devices have become extremely attractive targets for Chinese cybercriminal groups such as Volt Typhoon. They create Operational Relay Boxes (ORBs) for communication between devices, used to conceal and support their activities. This includes both direct attacks on companies to spy on them, and indirect use of software weaknesses for further cyber attacks. Even companies that are not the actual target of criminal activities fall victim to these attacks. However, they are attracted to edge devices – always on and connected to the network,” emphasizes Ross McKerchar, Chief Information Security Officer (CISO) at Sophos.
Small and Medium Enterprises (SMEs) are also in the hackers’ crosshairs
Every device connected to the network is vulnerable to cybercriminals’ attacks. For state-sponsored groups, particularly attractive targets are entities belonging to critical infrastructure, including small and medium enterprises that are in the supply chain of this sector. SMEs are prone to attacks as they often lack sufficient resources to detect advanced cyber threats or defend against them. Additionally, after gaining access, criminals stay in the system for a long time, which makes it difficult to quickly detect and remove them.
As indicated by Sophos experts, to effectively defend against cyber attacks by state-supported groups, cooperation is crucial between the public sector, private sector, law enforcement agencies, and the cybersecurity industry. Here, security software providers also play a significant role, supporting customers by providing reliable, tested patches and facilitating migration from platforms no longer supported by manufacturers. It is also essential to continuously update systems and systematically remove or modify outdated code that may contain security flaws. Companies should also limit the number of devices connected to the network.
Source: https://managerplus.pl/chinskie-grupy-cyberprzestepcow-eskaluja-ataki-na-urzadzenia-brzegowe-63343
