CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

FBI Seeking Information on Chinese Hackers Targeting Sophos Firewalls

The FBI is asking for information on the Chinese threat actors targeting Sophos edge devices to compromise private and government entities.

The FBI is asking for public help in identifying the hackers behind a years-long campaign targeting Sophos edge devices.

The campaign, brought to light last week by Sophos itself and ongoing since as early as 2018, was attributed to China-linked advanced persistent threat (APT) actors such as APT41, APT31, and Volt Typhoon.

As part of the attacks, the APTs exploited multiple zero-day vulnerabilities in internet-facing assets to gain code execution and then leveraged additional exploits to deploy malware with root privileges on the vulnerable devices.

“Beginning in early 2020 and continuing through much of 2022, the adversaries spent considerable effort and resources in multiple campaigns targeting devices with internet-facing web portals,” Sophos said.

One of the zero-days, tracked as CVE-2020-12271 and affecting Sophos’ XG Firewall, was exploited in April 2020 to deploy the Asnarök malware. Working with European law enforcement, the company took down the server hosting the malware.

Sophos says that, for over half a decade, it has been fighting a cat-and-mouse battle with the Chinese hackers, deploying a custom implant to monitor the attackers’ movements and identify their exploits and TTPs.

While Sophos did not share information on any of the organizations that might have been compromised in these attacks, the FBI says that both private companies and government entities have fallen victim to the intruders.

“As described by Sophos Ltd. in a recently released cyber security report, on April 22, 2020, an Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions,” the FBI said in a notice (PDF) on Friday.

Advertisement. Scroll to continue reading.

The agency is encouraging individuals who might have information on the attackers to contact it using messaging services such as WhatsApp, Signal, and Telegram, or to contact local FBI offices, American embassies, or consulates, or submit a tip online.

The UK’s National Cyber Security Centre (NCSC) has published technical documentation on Pygmy Goat, a sophisticated backdoor that has been planted on hacked Sophos XG firewalls.

Related: Canada Says Chinese Reconnaissance Scans Targeting Government Organizations

Related: AP Sources: Chinese Hackers Targeted Phones of Trump, Vance, People Associated With Harris Campaign

Related: Chinese State Hackers Main Suspect in Recent Ivanti CSA Zero-Day Attacks

Related: Chinese Hackers Seen Targeting Ukraine Post-Invasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.