The Federal Bureau of Investigation (FBI) in the United States has requested public assistance regarding an investigation into the compromise of edge devices and computer networks associated with various companies and government organizations.
According to the agency, “An Advanced Persistent Threat group is believed to have developed and utilized malware (CVE-2020-12271) as part of a broad range of indiscriminate cyber intrusions aimed at extracting sensitive information from firewalls globally.”
The FBI is actively seeking information about the identities of those responsible for these cyber intrusions. This request follows a series of reports from cybersecurity firm Sophos, which detailed campaigns from 2018 to 2023 that exploited its edge infrastructure appliances to deploy custom malware or repurpose them as covert proxies.
The malicious operations, referred to as Pacific Rim, were intended for surveillance, sabotage, and cyber espionage, and have been linked to several Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest recorded attack occurred in late 2018, targeting Sophos’ Indian subsidiary, Cyberoam.
Sophos reported that these adversaries have focused on both small and large critical infrastructure and government facilities, particularly in South and Southeast Asia. Targets have included nuclear energy providers, an airport in a national capital, a military hospital, state security agencies, and central government ministries.
Subsequent mass attacks have been noted to exploit multiple then-zero-day vulnerabilities in Sophos firewalls, specifically CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236, to compromise devices and deliver malicious payloads to both the device firmware and the internal networks of organizations.
From 2021 onward, adversaries appeared to transition their strategies from broad, indiscriminate attacks to more focused, ‘hands-on-keyboard’ operations targeting specific entities. These included government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations, primarily within the Asia-Pacific region.
Starting in mid-2022, these attackers reportedly concentrated their efforts on achieving deeper access to particular organizations, evading detection, and collecting extensive information by executing commands manually and deploying malware such as Asnarök, Gh0st RAT, and Pygmy Goat. The latter is a sophisticated backdoor capable of providing persistent remote access to Sophos XG Firewalls and potentially other Linux devices.
Although Pygmy Goat does not introduce any novel techniques, it is noted for its sophistication in allowing the actor to interact with it on demand while seamlessly blending with normal network traffic, according to the U.K. National Cyber Security Centre (NCSC).
The code is described as clean, featuring short, well-structured functions that facilitate future extensibility, with thorough error checking, indicating it was developed by skilled developers. This backdoor, a novel rootkit presented as a shared object (“libsophos.so”), was found to be delivered following the exploitation of CVE-2022-1040. Its use was detected between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine located in a military hospital in Asia.
The system possesses the capability to detect and react to specifically designed ICMP packets. If these packets are received by a compromised device, they can trigger the establishment of a SOCKS proxy or a reverse shell connection to an IP address specified by the attacker.
The emergence of Pygmy Goat has been linked to a Chinese threat actor identified internally by Sophos as Tstark, which has connections to the University of Electronic Science and Technology of China (UESTC) located in Chengdu.
Sophos reported that it mitigated these campaigns in their initial phase by implementing a custom kernel implant on devices associated with Chinese threat actors. This action was taken to conduct malicious exploit research, including on systems owned by Sichuan Silence Information Technology’s Double Helix Research Institute, thus enabling the identification of a “previously unknown and stealthy remote code execution exploit” in July 2020.
Subsequent analysis in August 2020 revealed a lower-severity post-authentication remote code execution vulnerability within an operating system component, as noted by the company.
Additionally, the company, which is owned by Thoma Bravo, has noted a trend of receiving “simultaneously highly helpful yet suspicious” bug bounty reports at least twice (CVE-2020-12271 and CVE-2022-1040) from individuals believed to be connected to research institutions in Chengdu before these vulnerabilities were exploited maliciously.
These findings are particularly noteworthy as they indicate that active research and development of vulnerabilities is taking place in the Sichuan region, which is subsequently relayed to various state-sponsored groups in China, each with distinct objectives, capabilities, and post-exploitation methodologies.
“With Pacific Rim, we observed […] a systematic approach to zero-day exploit development linked to educational institutions in Sichuan, China,” stated Chester Wisniewski. “These exploits seem to have been disseminated to state-sponsored attackers, aligning with a national policy that encourages such sharing through their vulnerability-disclosure regulations.”
Edge network devices have increasingly emerged as significant targets for both initial access and sustained presence, with some instances involving their use as operational relay boxes (ORBs) to infiltrate subsequent targets while concealing the true source of attacks.
In recent months, Chinese threat groups such as Volt Typhoon and Storm-0940 have been detected utilizing botnets like KV-Botnet and Quad7, which consist of compromised routers and other edge devices, to carry out reconnaissance and password-spraying operations.
Ross McKerchar, Chief Information Security Officer (CISO) at Sophos, informed The Hacker News that the company has not identified any cases where these botnets have been employed in the Pacific Rim campaigns. “Edge devices are a primary target for actors based in the People’s Republic of China, and the frequency of these attacks is on the rise,” McKerchar stated.
“Our evaluation indicates that the obligation for researchers in the PRC to report vulnerabilities to the Ministry of Industry and Information Technology (MIIT), a governmental body linked to APT groups as highlighted in an Atlantic Council report, is a crucial factor contributing to the vulnerabilities that fuel these attacks.”
The heightened focus on edge network devices aligns with a threat assessment from the Canadian Centre for Cyber Security, which disclosed that at least 20 Canadian government networks have been breached by Chinese state-sponsored hacking groups over the last four years to further their strategic, economic, and diplomatic objectives.
Additionally, it accused Chinese threat actors of targeting the private sector to secure a competitive edge by acquiring confidential and proprietary information, while also facilitating “transnational repression” efforts aimed at Uyghurs, Tibetans, pro-democracy advocates, and supporters of Taiwanese independence.
The report noted that Chinese cyber threat actors “have infiltrated and sustained access to numerous government networks over the past five years, gathering communications and other critical information.” It further mentioned that these threat actors sent emails containing tracking images to recipients.