FBI Calls for Public Assistance to Identify Chinese Hackers Involved in Worldwide Cyber Attacks

The U.S. Federal Bureau of Investigation (FBI) is urgently seeking help from the public regarding a major breach of edge devices and computer networks belonging to companies and government entities.

An Advanced Persistent Threat (APT) group has allegedly created and deployed malware (CVE-2020-12271) as part of a series of indiscriminate cyber intrusions. These attacks are designed to exfiltrate sensitive data from firewalls worldwide. The FBI is now calling on the public for any information that could help identify the individuals behind these cyber intrusions.

This appeal follows a series of reports from cybersecurity vendor Sophos, detailing campaigns between 2018 and 2023. These campaigns exploited Sophos's edge infrastructure appliances to deploy custom malware and use them as proxies to avoid detection.

The malicious activities, codenamed Pacific Rim, are believed to be carried out by multiple Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest recorded attack dates back to late 2018 and targeted Sophos' Indian subsidiary Cyberoam.

The adversaries have targeted both small and large critical infrastructure and government facilities, mainly in South and Southeast Asia. Their targets include nuclear energy suppliers, a national capital's airport, a military hospital, state security apparatus, and central government ministries.

Some of the mass attacks leveraged multiple zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 – to compromise devices and deliver payloads both to the device firmware and within the organization's LAN network.

From 2021 onwards, the attackers shifted focus from widespread indiscriminate attacks to highly targeted, hands-on-keyboard attacks against specific entities. These entities include government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region.

Beginning mid-2022, the attackers intensified efforts to gain deeper access to specific organizations. They evaded detection and gathered more information by manually executing commands and deploying malware like Asnarök, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor capable of providing persistent remote access to Sophos XG Firewalls and likely other Linux devices.

The Pygmy Goat backdoor, while not containing any novel techniques, is highly sophisticated. It blends in with normal network traffic, enabling the attacker to interact with it on demand. The U.K. National Cyber Security Centre (NCSC) noted that the code is clean and well-structured, indicating it was developed by a competent individual or team.

The rootkit ("libsophos.so") forming part of the backdoor was delivered following the exploitation of CVE-2022-1040. This rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital in Asia. It has the capability to listen for specially crafted ICMP packets and open a SOCKS proxy or a reverse shell back-connection to an attacker's IP address.

The deployment of Pygmy Goat has been linked to a Chinese threat actor tracked by Sophos as Tstark. This group is associated with the University of Electronic Science and Technology of China (UESTC) in Chengdu.

Sophos countered these campaigns early by deploying its own kernel implant on devices owned by Chinese threat actors. This move allowed Sophos to gain visibility into a previously unknown and stealthy remote code execution exploit in July 2020.

A follow-up analysis in August 2020 led to the discovery of a lower-severity post-authentication remote code execution vulnerability. Sophos also observed a pattern of receiving highly helpful but suspicious bug bounty reports, which they suspect were from individuals with ties to Chengdu-based research institutions.

These findings highlight ongoing vulnerability research and development in Sichuan, China. The research is passed on to various Chinese state-sponsored groups with different objectives and techniques.

Edge network devices have become high-value targets for initial access and persistence. Chinese threat actors like Volt Typhoon and Storm-0940 have leveraged botnets comprising infected routers and other edge devices for reconnaissance and password-spraying attacks.

Sophos' Chief Information Security Officer, Ross McKerchar, emphasized that edge devices are increasingly targeted by PRC-based actors. The requirement for PRC-based researchers to share vulnerabilities with the MIIT, a government entity linked to APT groups, fuels these attacks.

The increased targeting of edge network devices aligns with a threat assessment from the Canadian Centre for Cyber Security (Cyber Centre). This assessment revealed that at least 20 Canadian government networks have been compromised by Chinese state-sponsored hacking crews over the past four years.

Chinese cyber threat actors have also targeted the private sector to gain a competitive advantage and support missions targeting Uyghurs, Tibetans, pro-democracy activists, and supporters of Taiwanese independence. These actors have compromised multiple government networks, collecting valuable information through methods such as email messages with tracking images to conduct network reconnaissance.

The FBI's call for public assistance underscores the urgency and scale of the threat. As these investigations continue, collaboration between government agencies, cybersecurity firms, and the public will be crucial in combating these sophisticated cyber threats.

PS: For more awesome articles like this, subscribe today to The Quill.