Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall 0-Days

British cybersecurity firm Sophos has revealed its ongoing battle with sophisticated Chinese government-backed hackers, detailing a series of attacks that began in 2018. The attackers targeted vulnerabilities in Sophos' enterprise products, particularly focusing on zero-day exploits. Notably, a breach at Sophos' Cyberoam office in India allowed hackers to gain initial access through a neglected display unit. Sophos reported that the attackers employed various advanced techniques, including a custom userland rootkit and a unique UEFI bootkit, to maintain persistence and control over compromised devices. In response, Sophos deployed its own custom implants to monitor the attackers' activities, which led to the discovery of a stealthy remote code execution exploit. The hackers utilized SQL injection and command injection methods to install malware on firewalls, particularly during the pandemic when remote work surged. Sophos also noted a strategic shift in the attackers' focus towards government and critical infrastructure organizations in the Asia-Pacific region. The company collaborated with the Netherlands’ National Cyber Security Centre to disrupt the attackers' command and control infrastructure. This ongoing conflict highlights the evolving nature of cyber threats and the necessity for robust cybersecurity measures.

- Sophos has been engaged in a prolonged conflict with Chinese government-backed hackers since 2018.

- The attackers exploited zero-day vulnerabilities in Sophos' products, using advanced techniques for persistence.

- Sophos deployed custom implants to monitor the attackers and discovered new exploits.

- The focus of the attacks shifted towards government and critical infrastructure targets in the Asia-Pacific.

- Collaboration with national cybersecurity agencies was key in countering the attackers' operations.