For years, the cybersecurity industry has been aware of the inconvenient truth that the very network security devices designed to protect customers from cyber threats are often the same machines that hackers use to gain access to their targets. This has been the case with “perimeter” devices like firewalls and VPN appliances, which have repeatedly been found to have vulnerabilities that allow sophisticated hackers to breach them and access sensitive systems.
Now, one cybersecurity vendor, Sophos, has revealed the extent of its battle with a group of hackers who targeted its firewalls for over five years. The company went to great lengths to track and monitor the hackers, even installing its own “implants” on their devices to preempt their attacks. Through this effort, Sophos was able to trace the hacking attempts back to a single network of vulnerability researchers in Chengdu, China.
In a report released on Thursday, Sophos details the ongoing cat-and-mouse game it played with these Chinese hackers, who started with indiscriminate mass exploitation of Sophos products but eventually became more targeted and stealthy. The company’s analysts were able to tie these hacking campaigns to Chinese state-sponsored groups, including APT41, APT31, and Volt Typhoon. However, the common thread throughout these attacks was not a specific group, but a broader network of researchers who appear to be supplying hacking techniques to the Chinese government.
Sophos’ report also reveals the extent of the targets that were affected by these hacking campaigns, including nuclear energy suppliers, military targets, telecoms, government and intelligence agencies, and even the airport of a national capital. While most of the targets were located in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.
Overall, Sophos’ report sheds light on the ongoing threat posed by state-sponsored hacking groups and the need for constant vigilance and proactive measures to protect against these attacks.