FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

The FBI has initiated a public request for assistance regarding significant breaches of edge devices and computer networks belonging to various companies and government entities. This investigation is tied to an Advanced Persistent Threat (APT) group that allegedly employed malware (CVE-2020-12271) to execute a series of widespread cyber intrusions aimed at stealing sensitive data from firewalls globally.

The call for public input follows reports from cybersecurity vendor Sophos detailing a sustained sequence of campaigns from 2018 to 2023 that exploited edge infrastructure appliances to introduce custom malware or use them as proxies, thereby avoiding detection. Dubbed “Pacific Rim,” this malicious activity has been linked to several Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. Significant early attacks began in late 2018, targeting Sophos’ subsidiary in India, Cyberoam.

Sophos reported that adversaries focused their efforts on critical infrastructure and government facilities in regions like South and Southeast Asia, noting attacks on nuclear energy suppliers, airports, military hospitals, and government ministries. The subsequent attacks more effectively leveraged multiple vulnerabilities inherent to Sophos firewalls, including a series of CVE identifiers that enabled hackers to compromise devices and manipulate internal network payloads.

By 2021, a noticeable shift occurred in the attackers’ strategies, moving from broad, indiscriminate assaults to more refined, targeted approaches against specific entities such as government agencies and security-related organizations. This evolution in tactics indicates a significant interest in high-value targets and a desire for stealthy access, conducive to gathering sensitive data.

Beginning mid-2022, attackers escalated their operations to infiltrate organizations more deeply, deploying sophisticated malware such as Asnarök, Gh0st RAT, and a new backdoor termed Pygmy Goat. The latter facilitates persistent remote access to Sophos XG Firewalls and other Linux devices. Pygmy Goat, while not embodying novel techniques, employs sophisticated methods to blend in with legitimate network traffic and provides the attackers with on-demand interaction abilities.

The backdoor’s complex functionality includes listening for specific crafted ICMP packets, enabling capabilities like SOCKS proxying, which suggests a high level of technical sophistication and intent. Its deployment followed exploitation of CVE-2022-1040, with evidence of its use being identified on government networks and medical facilities in Asia.

The actors behind these attacks have been preliminarily traced back to a Chinese threat actor referenced as Tstark, linked to the University of Electronic Science and Technology of China. Early investigations from Sophos involved deploying their custom kernel implant on devices belonging to these actors, leading to the discovery of previously unknown remote code execution vulnerabilities.

In addition to the direct threat posed by the breaches, Sophos noted an alarming trend where “suspicious” bug bounty reports appeared tied to exploit vulnerabilities, suggesting an organized effort to advance malicious cyber capabilities. This situation reflects a systemic approach to vulnerability research and exploit development within the Sichuan region of China, hinting at a structured relationship between educational institutions and state-sponsored cyber operations.

Chester Wisniewski from Sophos articulated concerns about an “assembly line” of zero-day exploit development in Sichuan, which may be funneled to state-sponsored attackers. The implications of these coordinated efforts reveal a highly organized form of cyber warfare aimed at improving the Chinese government’s strategic and economic interests.

Concurrently, a Canadian cybersecurity report highlighted that over the past four years, at least 20 Canadian government networks have been breached by Chinese hacking groups aimed at furthering their economic and strategic objectives. This extensive campaign has targeted private sectors, enabling the collection of confidential information while also pursuing activities linked to transnational repression against specific ethnic and political groups.

These findings illuminate a complex and growing landscape of cyber threats, particularly focusing on the tactics employed by state-sponsored actors and the vulnerabilities within edge network devices. The implications for national and cybersecurity are profound as adversarial nations enhance their capabilities through sophisticated means.