A five-year investigation by Sophos has revealed that certain China-based groups are targeting perimeter devices and firewalls developed by the cybersecurity solutions company.
By collaborating with multiple partners, including government agencies, law enforcement, and other vendors, Sophos tracked bespoke malware, botnets, and novel exploits. In its report, the company confirmed “with varying levels of confidence” that specific activity clusters are linked to Volt Typhoon, APT31, and APT41/Winnti.
The investigation also found that threat actors have become more discreet in their operations, targeting high-value and critical infrastructure primarily in the Indo-Pacific region.
“Victim organizations include nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government,” Sophos stated in the report.
These threat actors have also been sabotaging firewall telemetry collection, which impacts detection and response capabilities and hampers research efforts by reducing the digital footprint.
State-sponsored attackers
Sophos also reported that state-sponsored attackers use both zero-day and known vulnerabilities to compromise edge devices.
“This targeting is not unique to Sophos firewalls; as evidenced by published CVEs, all edge devices are at risk,” the company said.
According to Sophos, threat actors conducted multiple campaigns between 2020 and 2022, targeting publicly reachable network appliances and exploiting undiscovered vulnerabilities.
“These exploits allowed adversaries to retrieve information stored on the device, deliver payloads within device firmware, and, in some cases, access devices on the LAN (internal to the organization’s network) side of the firewall,” Sophos said.