Sophos X-OPS has successfully completed a large-scale investigation into Chinese cyberattack groups that have been targeting network devices worldwide for the past five years. The primary targets of these attackers have been firewalls and remote access systems. Sophos conducted a thorough analysis of the hacking methods used and has since released recommendations and safety updates.
The series of attacks traces back to December 2018 when hackers gained access to a device in the office of the Indian division of Cyberoam. Exploiting weak security settings, the attackers conducted a network scan and identified a method of penetration. In 2020, a vulnerability known as Asnarök (CVE-2020-12271 with a CVSS rating of 10.0) was discovered, allowing attackers to gain Root access to devices and install Trojan malware, enabling them to covertly control systems while bypassing standard protective measures.
To combat this growing threat, Sophos released updates and implemented telemetry sensors on devices to enhance monitoring of hacker activities. By April 2020, Sophos detected a new wave of attacks exploiting another vulnerability, CVE-2020-15069 (CVSS rating: 9.8), within the Sophos XG Firewall. This vulnerability enabled attackers to install malware on devices with a WAN interface, granting them undetected access.
Beginning in 2021, Chinese hackers began targeting specific entities, such as state institutions and critical infrastructure in the Asia-Pacific region. In March 2022, Sophos uncovered a new vulnerability within the Sophos Firewall, known as CVE-2022-1040 (rating: 9.8), which allowed attackers to bypass security measures and gain complete access to devices. This loophole was exploited to install a specialized rootkit that could covertly intercept commands and facilitate remote control.
In 2022, Sophos encountered a new strategy whereby attacks became more covert, using chains of proxy servers to mask their origins. These recent attacks, known as CoverT Channels, enabled hackers to hijack accounts and deploy disruptive network scripts. Sophos has been collaborating with international organizations and national cybersecurity centers to fend off these threats. They have released updates to fortify device security and have shared compromise indicators (IOCs) to assist companies in safeguarding their networks against potential attacks.