FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities.

“An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide,” the agency said.

“The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.”

The development comes in the aftermath of a series of reports published by cybersecurity vendor Sophos chronicling a set of campaigns between 2018 and 2023 that exploited its edge infrastructure appliances to deploy custom malware or repurpose them as proxies to fly under the radar.

The malicious activity, codenamed Pacific Rim and designed to conduct surveillance, sabotage, and cyber espionage, has been attributed to multiple Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest attack dates back to late 2018, when a cyber-attack was aimed at Sophos’ Indian subsidiary Cyberoam.

“The adversaries have targeted both small and large critical infrastructure and government facilities, primarily in South and Southeast Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries,” Sophos said.

Some of the subsequent mass attacks have been identified as leveraging multiple then zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 – to compromise the devices and deliver payloads both to the device firmware and those located within the organization’s LAN network.

“From 2021 onwards the adversaries appeared to shift focus from widespread indiscriminate attacks to highly targeted, ‘hands-on-keyboard’ narrow-focus attacks against specific entities: government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region,” it said.

Beginning mid-2022, the attackers are said to have focused their efforts on gaining deeper access to specific organizations, evading detection, and gathering more information by manually executing commands and deploying malware like Asnarök, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor cable of providing persistent remote access to Sophos XG Firewalls and likely other Linux devices.

“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic,” the U.K. National Cyber Security Centre (NCSC) said.

“The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers.”

The backdoor, a novel rootkit that takes the form of a shared object (“libsophos.so”), has been found to be delivered following the exploitation of CVE-2022-1040. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia.

It comes with the “ability to listen for and respond to specially crafted ICMP packets, which, if received by an infected device, would open a SOCKS proxy or a reverse shell back-connection to an IP address of the attacker’s choosing.”

The deployment of Pygmy Goat has been attributed to a Chinese threat actor internally tracked by Sophos as Tstark, which shares links to the University of Electronic Science and Technology of China (UESTC) in Chengdu.

Sophos said it countered the campaigns in its early stage by deploying a bespoke kernel implant of its own on devices maintained by Chinese threat actors to carry out malicious exploit research, including machines owned by Sichuan Silence Information Technology’s Double Helix Research Institute, thereby gaining visibility into a “previously unknown and stealthy remote code execution exploit” in July 2020.

A follow-up analysis in August 2020 led to the discovery of a lower-severity post-authentication remote code execution vulnerability in an operating system component, the company added.

Furthermore, the Thoma Bravo-owned company said it has observed a pattern of receiving “simultaneously highly helpful yet suspicious” bug bounty reports at least twice (CVE-2020-12271 and CVE-2022-1040) from what it suspects are individuals with ties to Chengdu-based research institutions prior to them being used maliciously.

The findings are significant, not least because they show that active vulnerability research and development activity is being conducted in the Sichuan region, and then passed on to various Chinese state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation techniques.

“With Pacific Rim, we observed […] an assembly line of zero-day exploit development associated with educational institutions in Sichuan, China,” Chester Wisniewski said. “These exploits appear to have been shared with state-sponsored attackers, which makes sense for a nation-state that mandates such sharing through their vulnerability-disclosure laws.”

Edge network devices have increasingly become high-value targets for both initial access and persistence, in some cases even used as operational relay boxes (ORBs) to breach onward targets and obfuscate the true origin of attacks.

In recent months, People’s Republic of China (PRC) threat actors like Volt Typhoon and Storm-0940 have been observed leveraging botnets like KV-Botnet and Quad7 comprising infected routers and other edge devices to conduct reconnaissance and password-spraying attacks.

Sophos’ Chief Information Security Officer (CISO) Ross McKerchar told The Hacker News that the company has not observed instances where these botnets have been put to use as part of the Pacific Rim campaigns.

“Edge devices are a key target for PRC-based actors, and the rate at which they are being targeted is increasing,” McKerchar said.

“Our assessment is that the requirement for PRC-based researchers to share vulnerabilities with the MIIT, a government entity which the Atlantic Council report shows has links to APT groups, is a key component which is providing the underlying fuel and vulnerabilities to power these attacks.”

The increased targeting of edge network devices also coincides with a threat assessment from the Canadian Centre for Cyber Security (Cyber Centre) that revealed at least 20 Canadian government networks have been compromised by Chinese state-sponsored hacking crews over the past four years to advance its strategic, economic, and diplomatic interests.

It also accused Chinese threat actors of targeting its private sector to gain a competitive advantage by collecting confidential and proprietary information, alongside supporting “transnational repression” missions that seek to target Uyghurs, Tibetans, pro-democracy activists, and supporters of Taiwanese independence.

Chinese cyber threat actors “have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information,” it said. “The threat actors sent email messages with tracking images to recipients to conduct network reconnaissance.”

(The story was updated after publication to include responses from Sophos.)

Loading