Global cybersecurity leader Sophos has unveiled findings from its “Pacific Rim” report, detailing a complex, multi-year campaign by Chinese-based nation-state groups targeting critical infrastructure across the Pacific.
Sophos’ security unit, Sophos X-Ops, conducted defensive and counter-offensive operations against the attackers, who focused on unpatched and end-of-life (EOL) perimeter devices, including Sophos Firewalls.
The groups employed unique malware, novel exploits, and sophisticated tactics to penetrate networks and conduct cyber espionage, sabotage, and surveillance.
Escalation and Evolution of Cyber Campaigns
The threat escalated when Sophos’ initial defenses successfully countered early attacks, prompting adversaries to deploy more advanced operators. “We uncovered a vast adversarial ecosystem,” Sophos noted.
The report links these operations with known Chinese nation-state groups, such as Volt Typhoon, APT31, and APT41, who employed overlapping tools, tactics, and procedures (TTPs).
Sophos detailed several operations aimed at critical infrastructure, including nuclear facilities, an airport, and state ministries in South and Southeast Asia.
In one notable case, Sophos neutralized a payload known as “Cloud Snooper,” which contained a custom rootkit to evade detection.
Read Also: Sophos Unveils Enhanced Updated Firewall Software
Another campaign, “Asnarök,” was thwarted with Sophos’ intervention, which involved taking over the malware’s command and control (C2) channel.
Sophos’ Strategic Response and Enhanced Threat Tracking
Sophos’ response included extensive threat tracking, involving telemetry, open-source intelligence, and targeted implants on adversarial systems.
This allowed the cybersecurity team to detect and counter sophisticated tactics, including a UEFI bootkit designed for stealth.
The persistence of these Chinese-based groups underscores their goal of long-term espionage, according to Sophos’ CISO Ross McKerchar.
“Even organizations that are not direct targets are getting hit,” McKerchar explained, as attackers leverage compromised edge devices to obfuscate their activities.
Industry Recommendations and Call for Collaboration
Sophos urges organizations to prioritize patching and upgrade EOL devices, especially in critical infrastructure.
They encourage public-private partnerships and collaboration with law enforcement to strengthen global defenses against persistent, nation-state cyber threats.
