British cybersecurity firm Sophos has been embroiled in a prolonged battle against cyber attackers believed to be affiliated with the Chinese government. These state-sponsored threat actors, motivated by political and strategic goals, often target high-value information in critical sectors. Beginning as early as 2018, the attackers homed in on Sophos’ enterprise-facing products, exploiting vulnerabilities to breach defenses. State-sponsored groups from China, such as APT41 and Winnti, are known for leveraging zero-day vulnerabilities and advanced malware to infiltrate sensitive networks. They also display adaptability, adjusting their tactics and tools to bypass security measures, thus engaging in what Sophos described as a “cat-and-mouse” conflict. For Sophos, defending against such a resilient opponent meant adopting unconventional defensive measures to stay one step ahead.
Initial Breach and Attack Pathways
One significant breach targeted Sophos’ Cyberoam office in India. The attackers gained a foothold by exploiting an overlooked wall-mounted display unit connected to the network. While a display may appear harmless, hackers increasingly exploit overlooked Internet of Things (IoT) devices, which often lack robust security protections, to infiltrate networks. Once they gained initial access, the attackers moved laterally within the network, escalating privileges and aiming to capture deeper system access. Sophos quickly traced the hack to what it called an “adaptable adversary,” revealing how hackers exploited not just weak points but also actively adapted to each defensive move.
Defensive Measures: Sophos Deploys Internal Implants
Recognizing the attackers’ persistent nature, Sophos took an unusual step by deploying custom software implants on its own devices. These implants—small programs designed to monitor activity—allowed Sophos to gather real-time intelligence on the hackers’ techniques. By observing in real time, Sophos could detect tools like the TERMITE in-memory dropper, a rootkit running in user mode, and Trojanized Java files. This decision to use implants was not taken lightly; it involved legal consultations and careful planning. Sophos’ implants served as “honeypots,” revealing the attackers’ specific tactics while allowing the cybersecurity team to build precise countermeasures.
Attackers’ Toolkit: Inside TERMITE and Other Advanced Malware
The attackers’ toolkit demonstrated sophisticated planning. TERMITE, for example, is an in-memory dropper designed to load malicious software directly into a system’s RAM, making it less likely to be detected by traditional security tools. Attackers also used a modified UEFI bootkit, a rare form of malware that infects the computer’s boot firmware, allowing it to persist across system restarts and even re-installations of the operating system. Their arsenal extended to the Gh0st RAT (Remote Access Trojan), which provides extensive control over compromised devices, enabling remote surveillance and data exfiltration. These tools highlight the attackers’ deep technical expertise and ability to evade standard detection.
The Attackers’ Strategic Shift in Focus
While initially focusing on Sophos, the attackers eventually widened their target pool to include critical infrastructure, government, and healthcare organizations, especially within the Asia-Pacific region. This strategic shift, observed by late 2021, aligns with broader trends among state-sponsored hacking groups, which often target sectors where data breaches or disruptions could have national security implications. For example, the healthcare sector holds highly sensitive data, and infrastructure entities are essential for public safety and stability. The timing of these attacks coincided with the COVID-19 pandemic, a period marked by heightened vulnerabilities due to the expansion of remote work and increased reliance on digital platforms.
Sophos’ Collaboration with International Agencies
The battle against these hackers led Sophos to collaborate with international cybersecurity agencies. By working alongside the Netherlands’ National Cyber Security Centre (NCSC), Sophos was able to track attacker-controlled command-and-control (C2) servers and gather intelligence on the broader attack infrastructure. This collaboration helped neutralize some of the immediate threats posed by the attackers. It also underscores a trend in cybersecurity, where private companies increasingly partner with government agencies to combat complex, state-sponsored cyber threats. These partnerships are becoming essential, especially when the target is a well-funded and resource-rich adversary.
Lessons Learned
Sophos’ experience serves as a lesson for the cybersecurity community. The adaptive nature of these state-sponsored attackers reveals the limitations of traditional cybersecurity defenses, which often rely on static measures like firewalls and antivirus software. Sophos’ use of active monitoring tools and targeted implants exemplifies the kind of innovation required to defend against such advanced threats. Additionally, the sustained nature of the attacks underscores the need for continuous vigilance, as attackers may invest years in targeting a single organization.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
