In recent years, the global cybersecurity landscape has been increasingly dominated by state-sponsored cyberattacks, particularly those originating from China. According to a series of reports by cybersecurity firm Sophos, multiple Advanced Persistent Threat (APT) groups have been involved in a sophisticated campaign dubbed “Pacific Rim” that targets edge devices and firewalls. This campaign has raised alarms across both public and private sectors, with the U.S. Federal Bureau of Investigation (FBI) now seeking public assistance in identifying the perpetrators.
Pacific Rim: A Years-Long Campaign Uncovered by Sophos
Sophos’ detailed reports reveal that since 2018, a coordinated series of cyber intrusions have been exploiting vulnerabilities in edge infrastructure devices to deploy malware, steal sensitive data, and perform reconnaissance. This campaign, which persisted through 2023, has leveraged multiple zero-day vulnerabilities to compromise firewalls worldwide.
The primary vulnerability, identified as CVE-2020-12271, involves an SQL injection flaw found in older versions of the Sophos XG Firewall. The attackers exploited this flaw to gain remote code execution (RCE) access, enabling them to exfiltrate usernames, passwords, and other critical data from compromised systems.
In addition to CVE-2020-12271, other vulnerabilities like CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 were also targeted, allowing the attackers to breach network defenses and gain unauthorized access to critical infrastructure.
From Broad Attacks to Precision Targeting: Shifting Tactics
While the early stages of the Pacific Rim campaign involved widespread attacks, the focus shifted around 2021. The attackers moved from indiscriminate mass intrusions to more refined, targeted operations. These operations were primarily aimed at high-value entities such as government agencies, critical infrastructure, research institutions, healthcare providers, and financial organizations, with a particular emphasis on South and Southeast Asia.
Beginning in mid-2022, the threat actors deployed more sophisticated tactics, including hands-on-keyboard operations, manually executing commands to evade detection and maintain persistent access. Malware such as Asnarök, Gh0st RAT, and Pygmy Goat were used to infiltrate Sophos XG Firewalls and Linux devices. The Pygmy Goat backdoor, in particular, has proven highly adaptable, blending seamlessly into normal network traffic to avoid detection.
Attribution to Chinese State-Sponsored Groups
Sophos has attributed the Pacific Rim campaign to several Chinese state-sponsored APT groups, including APT31, APT41, and Volt Typhoon. Notably, the deployment of the Pygmy Goat malware was traced back to a group internally referred to as Tstark, which has potential ties to the University of Electronic Science and Technology of China (UESTC) in Chengdu. This highlights the role of academic institutions in facilitating China’s cyber warfare capabilities.
The U.K. National Cyber Security Centre (NCSC) has noted that Pygmy Goat, while not using any groundbreaking techniques, is exceptionally well-crafted. Its clean code and robust error-checking mechanisms suggest that it was developed by skilled professionals, possibly with direct support from state resources.
Edge Devices: A Prime Target for Chinese Cyber Espionage
The focus on edge devices—those that connect an organization’s internal network to the internet—underscores the strategic value these devices hold for attackers. By compromising firewalls and routers, threat actors can establish a foothold within networks and obfuscate their operations, making it harder for defenders to trace the origin of attacks.
Recent assessments by the Canadian Centre for Cyber Security have revealed that at least 20 Canadian government networks have been compromised by Chinese threat actors over the past four years. These breaches were aimed at advancing China’s strategic, economic, and diplomatic interests, often targeting sectors with critical intellectual property or sensitive information.
FBI Seeks Public Assistance in Identifying Threat Actors
In light of these revelations, the FBI is calling on the public to assist in identifying the individuals behind these sophisticated cyber intrusions. The agency has set up channels for secure communication via WhatsApp, Signal, and Telegram for those who can provide actionable intelligence. The FBI’s appeal underscores the seriousness of these attacks, which have compromised the security of both private companies and government agencies.
Implications for Businesses and Recommendations for Protection
As edge network devices continue to be a primary target for cyberattacks, it is crucial for organizations to take proactive measures in safeguarding their systems. Companies should ensure that their firewalls and other network devices are regularly updated with the latest security patches. Additionally, adopting robust multi-factor authentication (MFA) and conducting regular vulnerability assessments can significantly reduce the risk of compromise.
At DLDigital.Online, we specialize in helping businesses secure their digital infrastructure through comprehensive cybersecurity services. With the recent surge in edge device attacks, it has never been more critical to protect your organization’s data and systems. Contact us today to learn how we can assist in setting up advanced cybersecurity measures, including mandatory 2FA for all users, to safeguard your business against evolving threats.
Moving Forward
The increasing sophistication of state-sponsored cyberattacks calls for a unified response from governments, cybersecurity firms, and the general public. By staying informed and implementing robust cybersecurity practices, organizations can better protect themselves from becoming the next victim of these relentless campaigns.
