Sophos reveals how it fought a network of dangerous Chinese hackers for years

Sophos has revealed details of a five year battle with Chinese hackers who targeted networking devices across the globe.

The ‘Pacific RIm’ reports outline clusters of activity that cybersecurity venders and law enforcement can attribute to known threat actors Volt Typhoon, APT31 and APT41/Winnti – with ‘varying degrees of confidence’.

Included in the list of targets were prominent manufacturers such as Fortinet, NetGear, Sophos, Check Point, Cisco, and more. The attacks were aimed at high value targets primarily in the Indo-pacific region, and included nuclear energy suppliers, telecoms, military, and government agencies.

Critical infrastructure attacks

“For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware,” Sophos explains in the report.

The state actors are not exclusively aiming at high value espionage targets though, as Sophos observed actors using tightly connected digital ecosystems which form part of the critical infrastructure supply chain to disrupt critical services.

“This community is believed to be collaborating on vulnerability research and sharing their findings with both vendors and entities associated with the Chinese government, including contractors conducting offensive operations on behalf of the state. However, the full scope and nature of these activities has not been conclusively verified.” said Ross McKerchar, Sophos X-Ops.

Researchers believe that the attacks started in 2018 when they hit the Cyberoam headquarters, which is an India-based Sophos subsidiary.

Critical infrastructure is increasingly at the receiving end of state-sponsored cyberattacks, with some estimates putting this figure at 420 million in 2023, which is 13 attacks per second.

One of the groups, Volt Typhoon, has already been found lurking on US critical infrastructure networks for years, so this news won’t come as much of a surprise. The state sponsored group were positioned to steal sensitive information, monitor activity, and disrupt the infrastructure.

More from TechRadar Pro