On Thursday, October 31, the British cybersecurity company Sophos released a new research report revealing a five-year “tit-for-tat” confrontation with hacker groups supported by the Chinese government. The report broke the silence in the cybersecurity industry on the serious issue of security equipment vulnerabilities.
In recent years, vulnerabilities in cybersecurity equipment have often been exploited by hackers as entry points. In the past year alone, vulnerabilities in products from companies like Ivanti, Fortinet, Cisco, and Palo Alto have been exploited by hackers, leading to a significant number of malicious attacks.
Sophos’ Chief Information Security Officer, Ross McKerchar, stated, “This has become an open secret. People know these things are happening, but everyone remains silent.”
“We chose to take a different approach, trying a very transparent way to respond directly to this issue and confront our opponents on the battlefield,” he said.
According to Sophos’ latest report, their long-running confrontation with these Chinese state-sponsored hackers began in 2018 when malicious software named CloudSnooper was discovered on a computer in Sophos’ subsidiary office in India. The initial intrusion seemed to involve gathering information on Sophos products for future attacks on Sophos’ customers.
In 2020, Sophos found that hackers had infected tens of thousands of firewall devices worldwide, attempting to install a Trojan virus named Asnarök and using these infected devices as a springboard for further incursions.
Sophos’ threat intelligence and incident response team, X-Ops, launched an investigation immediately. They discovered early signs of testing by hackers on Sophos devices registered in Chengdu, and through user registration and download records, tracked it to a company in Chengdu—Sichuan Silence Information Technology—and an employee at Chengdu University of Electronic Science and Technology who had used the online alias “TStark” to search for structural data of Sophos firewalls.
At that time, the X-Ops team implanted spyware in Sophos devices used by Chengdu hackers for testing, conducting “reverse surveillance” through a small number of installation codes in Sophos’ own products. This proactive surveillance action allowed the company to access crucial parts of the hackers’ code and prevent a third wave of intrusions.
McKerchar stated, “We were at a disadvantage during the first wave of attacks. We were evenly matched in the second wave, and in the third attack, we took the lead.”
Several years ago, “Sichuan Silence Information Technology” was discovered by Meta, Facebook’s parent company, for spreading rumors overseas on behalf of the Chinese Communist Party.
As early as 2021, the internet was flooded with false information from a figure called “Wilson Edwards,” impersonating a Swiss biologist, who falsely claimed that the U.S. was interfering in the origin tracing of the coronavirus. His statements were widely circulated by Chinese official media.
Meta removed over 500 accounts related to this false information and indicated a connection between the dissemination of false information and “Sichuan Silence Information Technology.”
Sophos’ report indicates that the discovered “Silent Information” company and the Chengdu University staff members do not seem to be directly involved in the attacks of Chinese state hackers, but rather are a vulnerability research organization developing and providing intrusion technology for the Chinese government.
The report mentioned that Chinese state hacker groups like APT41, APT31, and “Volt Typhoon” have repeatedly used vulnerability techniques provided by the Sichuan team for targeted attacks.
Interestingly, these individuals sometimes participate in Sophos’ vulnerability reward programs, reporting the same vulnerabilities to earn bounties. For example, Sophos paid $20,000 to a Chinese researcher who discovered a vulnerability that was later used as an entry point in attack activities.
Furthermore, Sophos’ report also warns that these Chinese hackers seem to be shifting towards attacking old, unpatched firewall devices that are no longer being updated, rather than seeking out new vulnerabilities.
Sophos CEO Joe Levy emphasized in a statement that device owners should replace “end-of-life” devices, and security vendors should clearly inform customers of the end-of-life date for their devices to prevent them from becoming unprotected entry points.
Sophos stated that over a thousand outdated devices have been targeted by hackers in just the past 18 months.
(This article referenced relevant reports from “Wired” magazine)