Darknet Diaries - 174: Pacific Rim
Episode Date: May 5, 2026For six years, Sophos fought a secret cyber war against a state-backed hacking group targeting its firewalls. This forced Sophos to drastically change tactics to properly secure their firewal...ls.Was it ethical? Was it effective? They disrupted nine zero-day attacks, exposed who was hacking them, and forced the hackers to change tactics. But at what cost?You have to listen to one of the most audacious corporate cyber defenses ever conducted.SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This show is sponsored by Meter, the company building networks from the ground up. Meter delivers a complete networking stack - wired, wireless, and cellular - in one solution that’s built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments, and runs support. Learn more at meter.com.Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.Sources https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/ https://www.justice.gov/archives/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived https://www.fbi.gov/wanted/cyber/guan-tianfeng
Transcript
Discussion (0)
Hi, I'm Jackie Sider.
Host of the show.
Back in 2018, an interesting cyber attack took place.
It's kind of a funny thing.
I mean, it basically came onto my radar the second month I was working at Sophos.
Oh, I should introduce you to Andrew.
Yeah, so I'm Andrew Brandt,
and throughout the time the research was going on for this story,
I was a principal researcher for Sophos,
but I am now a principal threat researcher.
for a company called Netcraft.
So one of the things Sophos wanted Andrew to do
was research novel threats
and write about them on their newly established
Sophos blog.
The team that I was on eventually didn't exist.
I was the only person on it.
And one of the analysts reached out to me
through the company chat and said,
hey, I've got a great story
for some really cool research.
I'd like to write it up
and have you publish it on the blog
and do some edits on it.
I said, great.
tell me more, and he told me the story,
but the one thing he didn't tell,
or what he said he couldn't tell me,
was who the target was.
So he's like, okay, fine, send me what you got,
let me research it, and I'll write about it.
It started with a TV set.
So there was a sales office,
and they had a bullpen, like you have a lot of,
you know, in a lot of sales offices
where people are on the phone,
you're trying to sell the product.
And so they had like this leaderboard
that was on a computer screen
that was running off a little Linux computer.
And that was the first machine that got infected.
And the threat actors managed to pivot from that, you know, Intel NUC,
which is like a tiny little computer that's small enough
they can mount on the back of a TV monitor that's hanging on the wall,
that they were able to pivot from the Nuck
and find access to the repository where the source code was
and then get into that.
And then to do the CloudSenooper attack on that cloud service
where the source code was,
it's just mind-boggling to me,
like the amount of effort involved
in pivoting from this to this to this to get into this
and then to build this backdoor
that allows them access,
it's amazing to me.
The attackers got access to the source code.
But why?
Was this an insider trying to seek revenge?
Were they stealing it in hopes to sell it to someone?
Did they steal it
so that they could copy the product
and steal their intellectual property.
At the time, nobody knew what their motive was.
These are true stories from the dark side of the internet.
I'm Jack Recyder.
This is Darknet Diaries.
This episode is sponsored by Threat Locker.
If you've listened to Darknet Daries for a while,
you've already heard of Threat Locker.
I've talked about how they lock environments down,
deny by default, zero trust, all of it.
But the problem they were solving changed
because attackers changed.
They don't break in like they used to.
Now they just log in with real credentials, real sessions, nothing that looks out of place.
Once they're in, they're treated like they belong.
So Threat Locker took what they already were doing and pushed it further with their Zero Trust
Network Access and Zero Trust Cloud Access.
So now Access isn't just about logging in, it's about the device, the connection, and whether
any of it should be trusted at all.
If you want to see what Zero Trust looks like when it's done right, go to Threatlocker.com
darknet that's threat locker.com slash darknet this episode is sponsored by meter the company building
networks from the ground up if you employ and work with IT engineers you're going to know how hard it is
for them to do their job well what your business needs is performant reliable secure networking
infrastructure but what you get is IT resource constraints on predictable pricing and fragmented
tools what you and your engineers need is a modern platform you can all trust to support your
business. Enter Meter. Meter delivers a complete networking stack, wired, wireless, and cellular
in one solution that's built for performance and scale. Alongside their partners, Meter designs the
hardware, writes the firmware, builds the software, manages deployment, and runs support. That
means less time your employees spend writing to multiple vendors and more time working and
improving your IT systems. Meter's full stack solution covers everything from first site survey
to ongoing support, giving you a single partner for all your connectivity needs. Thanks to
meter for sponsoring this show.
Go to meter.com slash darknet to book a demo now.
That's spelled M-E-T-E-R, meter.com slash darknet and go book a demo.
So hackers broke into a company and copied the source code for that product.
So we managed Infosec there for a while and candidly too.
It was the type of network that was in the process of being brought over to a set standard.
This is Craig.
He helped clean up the intrusion.
So my name is Craig Jones.
I'm the chief security officer of Antinue, but several years ago, I was actually the senior
director of information security inside SOSOS. I mean, if you don't know SOS, we're a UK-based
cybersecurity provider that has everything from kind of EDR, MDR, and through into firewall products.
And at the time, they had three different firewall products, one being Cybrome, the other one being a
German-based firewall provider and the new Sophis firewall product.
So essentially they were collapsing two products into one and the new one being Sophos Firewall.
Yeah, Sophos' main product is their firewall.
This is a network device that will act as a wall between a protected network and an unprotected one.
Out of the box, nothing is allowed to pass.
You have to tell it exactly what you want to allow through,
because the point of a firewall is to stop unwanted traffic from coming into your network.
And believe me, there's a lot of unwanted traffic that's always trying to get into our networks.
And in 2014, they bought another company called CyberRome,
which was also making an interesting security product.
That product, you know, we were flattening that product
and make it into something else.
You know, like CyberRome was very much purchased to be
the development house for the new softest firewall product.
You know, there's some super hot developers there.
And it was this newly acquired CyberRome network,
which was the victim of this attack.
Someone had gotten into CyberRome
and was looking for their source code,
and founded for one of their products,
which Craig and his team had to go clean up that intrusion.
There's some really cool stuff that those actors did.
You know, there was several points when I sat down,
they thought, damn, these guys really know what they're doing.
You know, I think for me, there was one where they'd actually attempted to intrude the network
in several different ways, mostly at the same time.
And what was really interesting about it is we could tell that there were two or three actors
working together in different consoles.
And one of the things they did, which is kind of funny, actually,
was that they'd gotten hold of a secure shell key.
And one had obviously copied it,
and another person was trying to type in the password for it.
And we could tell in the logs that they were mistyping the password, you know?
And, you know, the person had obviously taken the key
had obviously tried to relay onto another person,
and they were mistyping this thing.
It was kind of crazy.
You immediately knew then that this wasn't just like a dude.
You know, this was a serious operation.
The attackers had really unique methods for getting in,
not methods that were publicly known at the time,
super sneaky and crafty ways to get into a network.
And they got in through multiple ways.
And then when they got in,
they were able to move laterally in really unique ways too,
so unique that the Sophos team had no idea.
That stuff was even possible.
It was like exploiting bugs in the way AWS handles.
One problem, though, is that they didn't have enough monitoring at first to know exactly what these hackers saw or took.
They assumed because they got access to the repository with the source code that they took the source code, but they were unsure.
So they had to enable a lot more logging and monitoring to fully eradicate them from the cyber realm network.
Andrew wrote this attack up because it was so interesting and new and published it on the SOFO's blog, but didn't say who the target was.
Yeah.
So flash forward, two years go by.
It's now 2020.
You know, we now have the team up and running.
I've got a couple of people working with me.
We're publishing a few blogs a week.
And I find out from internal people within the company that there's a security incident.
And the security incident started with a tech support call where someone sent an email to their
support technician and said, hey, my firewall is showing this URL in the user interface.
And I didn't put it there.
And I don't know why it's there.
Hmm, it sounds like a minor problem at the surface.
This firewall had a configuration which showed what IPs are allowed to access it and manage it and configure it.
And a strange URL was showing up in that list of IPs.
It didn't make any sense as to why it was there or why anyone would ever even put it there.
So the Sophos has a firewall called the XG firewall.
At this point, it was just called the XG firewall.
And the firewall has its own operating system.
running a version of Linux in it.
It has a UI that's running on the front of it
so that you can manage it.
At the same time, someone outside of Sophos
submitted a bug into Sophos for this same issue.
I think it was April 21st.
They had, well, we actually had an external
bug-binding report as a SQLI injunction.
I was kind of weird about it was, you know,
I remember the user.
actually claiming to be from Australia,
but they had a Chinese name, you know.
Now at the time, we didn't have amazing telemetry
from any of the softest firewalls.
We had kind of base telemetry,
which gave you like,
it was really designed for product managers
to understand what features that, you know, users were using.
So they understood where to put their kind of limited resource time into, right?
So we had that,
We had a really good idea of where all of the serial numbers for these devices sat and their IP addresses associated.
It's always kind of interesting to correlate the IP with the intended location of the researcher.
So we got a researcher's device that's one that had never been turned on before, which was pretty suspicious.
You know, had never been registered.
It was a serial number that just come from a web trial of a VM.
And we found the IP actually related back to Changdao in China.
Okay, odd.
Someone from China with a trial license of the Sophos firewall
found this bug and reported it to Sophos.
And Sophos did, in fact, pay the bug bounty for this.
It was about $10,000, I think.
Hmm.
Someone got paid a pretty penny for reporting this bug to Sophos
at almost the exact same time that they were seeing it being exploited by devices in the wild.
Strange timing.
We called it Asner Rock.
So the team investigated this bug further.
It was present in the front end web user interface of the firewall.
To configure this firewall, you can use a browser and access it that way.
Well, the web UI of this firewall had an SQL injection vulnerability in it.
Basically, in one of the form fields of the firewall, like maybe the username field or something,
an attacker could enter in some commands there, which would glitch out the user input handling mechanism of the firewall,
and allow the attacker to inject their own commands
into the database of the firewall where the configuration sat.
And this was a really bad bug for Sophos to discover.
Their devices are supposed to be blocking hackers from getting into the network,
yet it's the vulnerable device, which is allowing hackers into it.
This is not good at all.
And they found that essentially every firewall that was facing the public internet
was affected by this bug.
These firewalls weren't just vulnerable.
They all had been hacked into, exploited.
Someone probably scanned the whole internet
looking for these particular Sophos firewalls
and then ran some kind of automation script to go infect them all.
We kind of worked out that there were a huge amount of devices affected.
I think in the aimed FBI report that came out by this,
I think they mentioned 80,000.
It has a guess it's probably more.
Hot dog, 80,000 Sophos firewalls hacked into.
But just because someone put a URL in place where it shouldn't be,
that's not all that damaging just by itself.
So the team investigated what that URL did,
and that's when they started to panic.
The URL would trigger a Git request
in order to update the Sophos firewall itself.
But what was really weird about it is that it was a W-GET
to a domain called Sophos Firewall.
update.com.
And Sophos didn't own that domain.
So it tried to blend in like it was supposed to be there,
and it fooled many of the people even at Sophos
who just figured the update domains changed.
But my goodness, this meant suddenly 80,000 firewalls
were looking somewhere else for updates and not to Sophos?
And it's kind of strange,
because we actually monitor all domain registrations.
It's kind of part of our kind of core security, like all its function.
So every single, like, cert that was registered,
every domain that was registered, we kind of pop up and, you know, anything infringed on
software's IP would attempt to pull back, you know. And it was one that had popped up,
like a little while ago, but nothing had kind of come of it, you know? But actually seeing this
thing in operation was quite like, quite jarring, you know? And I don't know if you fully understand
what this means. If a malicious hacker is able to send your firewall software updates,
then they can put in whatever they want. They can give themselves full access to the firewall,
or they can log all traffic going through it. They can pull.
poke a hole in the firewall and let themselves right into your network. And then from there,
they could just infect your whole network with ransomware. The thing that is supposed to block
unwanted traffic is no longer blocking anything if the attacker wants it that way. Not only that,
Sophos was worried that they had lost capability to update any of their firewalls properly.
Yeah, so effectively, what they could do, I mean, the truth is anything. But what they really
were after was system configuration and passwords.
Now, I've always suspected that this was something that they expected to run quietly,
for them to kind of pull that configuration, the passwords quietly,
and then for them to kind of delete any presence they ever had on those firewalls,
and then for them to have a really easy and simple access campaign.
So the attackers took copies of the configurations from the firewalls,
and then passwords from it,
this was a pretty darn scary event
for the Sophos team to handle.
So it was very much like an incredibly tense situation
where we first had to get a hold of one of these devices.
You know, we set multiple teams up to work out what happened
and to really do some in-depth incident response on this.
We're incredibly lucky, you know,
we had the entire arm of like Sophos Labs
to help us kind of,
reverse engineer this stuff. Okay, step one, fix the bug that made these things vulnerable.
And step two is get the bug fix on as many firewalls as soon as possible. They were able to
complete step one pretty quick, but step two was a little bit more tricky. If you buy a firewall,
whether for your home or a large enterprise, typically you've got to update it yourself,
just like how you have to do your own software updates on your phone or computer. And so forth's
firewalls are no different. The customers are the ones who have to issue updates for this thing.
But to SOFOS, this was too critical of a bug to try to tell 80,000 customers go update your firewalls.
Because I'm just guessing that less than 50% of them would do it in the first month.
There's just not enough time or it's not a high enough priority for them to fix it.
So FOS decided to do something they've never done before.
They pushed out a hot fix to these firewalls.
So hot fix is like a little software patch that can run in real time.
They can live update all the firewalls remotely with these hot fixes.
It doesn't require the firewall to reboot to be enabled.
And they felt like they had analyzed the attack
and figured out exactly how the threat actors were, you know,
leveraging their access.
And they closed those loopholes with the hot fix.
This was the first time SOFOS ever issued a hot fix to one of their customers' devices.
Now, they had built the facility to do hotfix,
and they had not really used them before this.
So there had been no real reason to do it,
but I think they had built in the capability to do these hot fixes,
anticipating that there might be an opportunity to use it
if there was something that was a real problem.
And it was fortunate that they had rolled this out
in the previous firmware update that, you know,
just before this attack had taken place.
Yeah, I think this is a really big deal.
Like, it makes me wonder if there's language in the small print,
of the terms of service that says
SOFOS reserves the right to make
configuration changes to your firewall
or updated whenever they want.
I think that's what's important as well.
This isn't something that's just kind of done.
And it's not something that's done
willy-nilly, you know?
And you're right.
I mean, it does feel kind of offensive
someone coming in and tampering with my stuff,
you know?
But effectively, it's written into the Yula,
like the end user license agreement.
And candidly, you kind of need this.
And I think that's where a lot of firewall providers actually fail,
is the fact that they rely on end users to patch everything.
And candidly, so many firewallers are just bought and they never updated, you know?
Gosh, I really don't know where I stand on this.
I was a firewall admin for my previous employer for 10 years.
Those Cisco firewalls were my babies.
I knew everything about them
and would review every single change
that ever took place on them
and I don't think I would like it
if Cisco just decided to patch them one day
without my consent
like some were in hospitals
that were mission critical
and some hadn't been patched for years
because they were so finicky
and any change to them
would just make them wig out and crash
and when I had to update them
I wouldn't do them all at once
and one big swoop
and do them one out of time
and hold their hand
and make sure that nothing broke
after the upgrade
and everything came back up as expected
So if a security vendor just slapped a hot fix on all my firewalls that I was in charge of, I would freak out.
What?
We did not get approval for this change.
We aren't in a maintenance window.
We don't even know what changes you made to the firewall or what's happening.
How can you just come into our devices and make changes without us knowing?
I would be upset.
I wondered, did the SOFOS team get approval from their lawyers before issuing a hot fix to their customers like this?
Is this even legal?
Yeah.
I mean, that's a great question.
I was not privy to those discussions.
But I'm sure there were discussions like that about, you know, what is our legal liability?
What are we allowed to do and not do remotely on these devices?
I believe ultimately the decision was made, and I'm not sure if there were lawyers consulted on this or not,
but made a lot of sense that the harm of allowing the firewalls to basically try to ransomware the inside of networks
was probably greater than the risk of somebody complaining that,
oh, you made a change to my firewall without telling me first.
So they just went ahead and did it.
Yeah, I mean, I think not only that,
but it's like this idea that the vendor can come in and change my device in any way.
It's not just like crash logs that are being sent to it.
It's, wow, what else can you do?
If you could put a hot fix in, can you see the password?
Can you see the connections?
Can you come in and do other work?
can you update to different firmware that has malware on it or something?
Like, could you do things that, you know, and, you know, your mind starts going, like,
could you do things that the NSA wants you to do and go and spy on this customer or something like that, right?
And so when you're a firewall admin, you're like, no, I have to make sure that this is,
no other person and the planet can access this, but me and other people on my team,
because you can't risk some, like a backdoor.
It's basically a backdoor that you had.
Yeah, that's entirely accurate.
And you're not wrong.
And these are devices that are typically placed in a position in the network
where they act as the barrier between the outside and the inside worlds of the networks.
And I recognize that that is a risk.
However, it is also worth noting that this is exactly what the bad guys were doing at this moment.
They were installing malware inside the firewall.
So how do you fix that?
I could just imagine the headlines at this point.
And my question is, did any bad news come out to be like,
Sophos found vulnerable, tens of thousands of customers impacted,
huge vulnerability.
Hacker has complete control over their firewalls patch immediately.
Like that could make the stock tumble.
That could really hurt business.
Yeah, I mean, it could.
And that was one of the reasons that I was brought in, basically, on day zero of this happening.
The company realized that they had a potential public relations nightmare on their hands,
and they needed to communicate as openly and as forthrightly as possible,
everything that they knew and everything that they were doing to fix it.
And, you know, credit goes to the people, you know, in leadership at the company who decided that, you know,
possibly against the conventional wisdom at the time,
that they were going to go public with everything we knew about this attack.
It was not a common thing at that time.
But as I said, I've worked for a long time doing in this kind of role
where I do investigations and then publish about them to the public
to warn people about bad things that are happening on the internet.
And it's been my experience that,
that the more information that you get out,
the better protected people are.
And that being radically transparent benefits everyone.
It helps the customers who are affected.
It also warns the public that, like,
hey, this is something that you need to be aware of in the future.
And it might also put the threat actors on notice
that, hey, we're watching you, and we're taking action to stop you.
As the SOFOS team investigated this more,
They learned that whoever did this attack had to have really in-depth knowledge of Sophos firewalls.
Like, there's no way they should have discovered this bug unless they had access to the source code,
which wasn't publicly available.
And that's when the pieces started clicking into place.
The part of this firewall that was vulnerable was code from the Cyberrome firewall that was moved over to the Sophos firewall.
And two years before this, as you know, there was an attack on CyberRome,
and what server did the attackers get access to you,
the one with the source code for their firewall.
So they started to think,
holy crap, this is a very serious threat actor
who's been attacking us for years.
They spent tons of effort getting into CyberRomes Network
to steal the source code only to study it for bugs
and then launch a massive attack on our Sophos firewalls.
Whoa, what do we even do with this information?
To think your products are the target
for a major cybersecurity campaign like this?
This is starting to smell like a nation-state actor is behind this.
Who else has that much time and resources?
And what the heck was the deal with someone from China
submitting this bug the exact same time
that Stofos discovered this?
Very strange.
One of the things that we've been kind of working on,
even before this situation,
was pulling in our telemetry or firewall telemetry,
the kind of basic telemetry I was talking about earlier into Splunk.
And I remember talking to Mark, who was just this amazing Splunk engineer in my team.
Like I said, well, can we go back on that data?
Like, can we find out when this first started?
Because I couldn't quite work out the exact moment in time
or the first firewall that was hit by this Asnerok attack.
And then I went back, well, how far does that data go back?
And then Mark said, well, actually, I think I've got like three months work.
So we kind of rolled this thing back three months, and there was one single device that had been hit like a month or so beforehand.
Like sometime in February, if my memory serves me right, and it was just really strange.
So it was kind of registered to like a Chinese 163 address, and it sat again in Chengdu.
Chengdu, China again?
That's where the person who submitted the bug was from.
So they took this firewall, and again, this one was running a trial license,
which was actually just a software-based firewall running in a virtual machine.
And it's a virtual machine because Sophos isn't allowed to sell their firewalls to China due to export controls.
So really, nobody in China should even have a Sophos firewall.
Their suspicion was that the attackers were using this virtual firewall to practice their attacks against,
develop them, and then unleash them against the world.
Because Sophos has the ability to run in a virtual machine with trial license,
is they can just spin one up real quick, try attacks on it.
If they mess up the firewall, they can just reboot it, take it down,
and bring a fresh one up in minutes.
We found this trial license, and they were also a 163 address
and a moniker that we called GBig Mau.
Okay, interesting.
They looked up who registered that trial license,
and this gave them an IP address, a username, and an email address.
And the username was G. Big Mau.
So now you pivot on that name.
What other SOFOS products has G Big Mau downloaded?
We kind of pivoted on him.
We found that he actually started to experiment with this database or SQLI injection like our mother-soco.
And we kind of found then looking at his IP address, again, we had phenomenal telemetry here,
that he was looking at different knowledge-based articles around our previous CVEs issues.
He was looking through our forum system to look at maybe other potential issues or places that he could maybe pivot and work on.
Then they took a look at his email address and wondered, has this email address been used anywhere else in the world?
So they do some OSINT investigation to see if this email is known anywhere else.
And we find that he was an actual firewall researcher, and he published a number of different, like, vulnerability.
We could see him on kind of Linux boards,
publishing various different router vulnerabilities,
up until about 2018, and then he went silent.
He'd been really, really busy up until like 2018.
Now, we kind of found out that he was working
for a company called Chezhuan Silence Information Security Technology,
mostly because doing some extra OSint,
we found that his username appeared
in many Chinese hacking groups and lots of CTFs,
so like Capture the Flag type events,
where he'd been registered towards this company as well.
So we found kind of corroborating evidence
from a couple of different places
that this was the same guy in the same company, you know?
Again, located in Shengdao in China.
So we found a really clear picture
of who this person was.
Now, his external op-sect was pretty good.
You know, like, you would not have been able to find him that easily,
but because we could see the internal telemetry
and get the license information, kind of connect the dots,
we could actually pin these devices to him and his usage.
But what we had to do at that point was find out more
about these devices that were being used for research.
We found that from the limited telemetry
that we'd started to gather with the first hot fix,
But what we realized is we actually needed more.
Like we really needed more detail, faster detail to like a greater depth
to understand what these guys were doing.
So we developed a kernel implant in house.
A kernel implant.
That's a nice way to say it.
I guess when the good guys make it, it's called an implant.
But if the bad guys were to make it, it would just be called malware.
But essentially a kernel implant is a hidden piece of software that they develop.
to sneak onto their firewalls
to covertly and sneakily
spy on what the firewall
is doing.
Yeah, so there's
a lot of interest
within the company.
Well, we know that there's these firewalls
that have been registered
to people who have
non-corporate
or non-enterprise level
email addresses,
like free webmail addresses.
The firewalls are checking in
all from Chengdu.
We know they're serial,
numbers. So we know the exact count of the number of firewalls that are being used in these places.
And we could see from some of the log telemetry that the threat actors are running commands
that are testing how these exploits are going to work. But we don't have the exploit code itself.
So the security team decides they're going to build something that they just call the implant,
or sometimes they call it the kernel implant.
And it's a small elf binary that gets distributed only to the machines that they are specifically interested in taking closer look at.
So these machines that they believe are being operated by threat actors, where they're doing these commands that are way outside of the boundaries of normal firewall behavior.
And these things are capable of doing more than just sending, you know, login,
they're able to pick arbitrary fields from the file system on the firewall and send those files back.
So that was how, in some cases, the team started throwing these kernel implants onto some of these firewalls that we could see were being used to do this experimentation.
And they were retrieving all sorts of very malicious and pretty dangerous.
files that were being dropped on these machines by the people who were developing these exploits
and were testing them out in advance of attacks.
Wow, that is wild.
This is going to take me a minute to fully grasp.
Sophos developed an implant and sneakily put it on one of their customers' devices to
essentially spy on them.
Is that going too far?
DeCollett malware is kind of a misnomer.
I mean, I'm not going to defend the overall argument here,
but I will just say that, like, there is nothing malicious
about wanting to know what someone who is doing malicious things
with your product is doing.
You know, it's kind of a, it's an ethical gray area.
I've got a caveat this with,
we only ever deployed this to devices
where we would be absolutely safe.
certain that they were a threat actor device, you know.
And not just threat actor controlled, but threat actor owned.
Like, this is where they're doing their research.
Exactly.
So, number one, like, we never deployed it to any properly licensed devices.
The second part is, like, we only ever deployed it to Chinese devices.
We just didn't sell firewalls in China.
So there was really, unless you're a company maybe bringing one from external,
there's no real reason for you to actually have one legitimately in China.
So under the Yula, we could take steps to protect the firewall and gather intelligence.
And that was covered clearly under the Yula.
So that's what you got, in your 40 people in the room, the lawyers must be in there too.
Like, are we allowed to hack into these devices that we think our own?
That was a serious conversation we had.
Yeah.
I mean, it wasn't just a small one either.
I mean, I don't think people have ever done this before, you know?
like we sat there debating this thing for hours
and really ours because
there's some serious ethical challenges around this
you know it's not you know
what happens like if we find the guy
we you know we record him
we see him doing it and we send it through
to law enforcement you know like a wee
you know there's so many crazy things
that we discussed there you know it's
yeah it's a conversation
that I never thought in my entire career
that I would have, you know?
Yeah.
I mean, kind of leaked you,
I never thought legitimately
in my entire career
that I'd ever deploy
a kernel implant either,
you know?
But it was certainly interesting, you know?
Well, I've never heard
of a security vendor
doing anything like this.
Adding in stealthy secret implants
to spy on their users,
in my opinion,
spyware is malware.
And gosh, before hearing all this,
I would have said,
that is going too far.
But now,
No, I'm not sure.
My ethics are really being challenged here.
And again, you know, I had amazing access to just quite incredible engineers.
They built this kernel implant that allowed us to basically move sofas firewalls
from like a normal update path to like a specific update wing.
And we would then deploy this specialist kernel implant in a normal update.
and you just wouldn't see it.
But what it allowed us to do is like grab anything being needed from the device.
So for example, things like, you know, files, if there were entry updates,
it would kind of record anything that was kind of written to specific writable directories.
And it would start to give us a really good idea of what they're doing, what they're writing,
why they were doing it.
But some of the really cool things that we actually got from it were quite unexpected.
So, for example, we started to pick up on the devices around the firewall.
So we'd capture all the Mac addresses of devices connecting to this firewall.
We'd also capture Mac addresses of things that also sat in the network alongside the firewall.
And then we suddenly realized that actually, this is huge.
This isn't just like Sophos Firewalls.
We've seen other vendors' devices on the same subnet alongside the Sophos Firewall.
You know, they were looking at all sorts of devices.
You can probably pool from the top of your head
thinking about things that had been attacked in the past couple of years,
the devices that were in the rack alongside that surface firewall, you know?
Oh, wow.
So the firewalls that come to mind for me are like Cisco, Palo Alto, Juniper, checkpoint, Fortinette.
And he says he saw other vendor firewalls set up alongside their firewall in this threat actor's lab.
Now, just being the person who's telling this story of what happened,
we were observing in the world, not just SOFOS firewalls,
but every firewall vendor getting hit with zero days,
there are customers being attacked in various ways,
and there being no way to resolve this,
and certainly no way to anticipate it.
Now, whether or not other companies are doing the same thing,
no one else has disclosed that,
but I don't think it's outside the realm of possibility
to think that maybe some of them were.
Oh, man, this is now tugging at me in new ways.
If every firewall vendor is getting hit with the same type of attack
and SOFOS is the only one being transparent
about what they're seeing and what they're doing to mitigate this,
then yeah, I give them a lot of credit for that.
Here's the test, I think, for whether your company is evil or not.
first, it has to be transparent to its customers.
Let them know exactly what kind of configuration changes, updates,
or spying, or data collection you're doing on your customer's devices,
and in what circumstances, and what's that you're being used for?
And second, be proud of whatever it is you're doing around that.
If you're a company which is making changes to the customer's products,
but then not telling them and secretly adding spyware,
but making it so top secret that not many people on your team even know it exists,
then I think you might be evil.
If you're afraid to let the public know exactly how you operate,
because you think it's going to look bad on you,
or maybe because you think it's not even right,
then either stop doing it or go public with it.
And Sophos came to the conclusion that,
while this is not an ideal situation,
this threat is novel and sophisticated in ways nobody's ever seen before,
and not only that, whoever was doing this,
they're being unethical themselves.
So-So-Fo's how to deploy a novel and sophisticated approach to defending their device.
And while it's not pretty, at least they came out and told us about it,
through Andrew's blog posts.
And they're basically saying, hey, we're in the middle of a nasty street fight here.
And the gloves are off until we can neutralize this threat.
And again, I give them a lot of credit for that. Nice job.
So at the same time, they were developing this implant to eavesdrop on the hackers.
They were also in the process of studying those domains
which were found in the exploited firewalls.
The hackers pointed all the firewalls
had two domains to get updates from,
which were not owned by Sophos.
Yeah, well, there was Sophos Firewall Update.com
and Sophos Product Update.com,
which were registered at different registrars
and hosted in different IP spaces.
But because they both had Sophos in the name
and they were part of this attack,
Sophos went to ICAN and did the domain
name seizure process on those domains so that they could pull those down and start to,
they wanted to sinkhole the domains and see what was connecting into them.
How do you seize a domain?
Well, with lawyers and money.
And, you know, it's a really serious thing, you know, like attending court in Delaware,
I think it was, you know, remotely.
Because at the time, don't forget that this is the thick of COVID.
it.
Jeez, that's another thing that's wild to me.
The fact that you can take over someone else's domain,
if you can prove that you're the one who's the rightful owner of it or should be owning it,
but they gave enough reasons to the courts,
who then demanded that the domain registrar gave SOFO's control of the hackers' malicious domains.
The server used by the threat actor actually sat in the Netherlands,
and it was one of these bulletproof, like, hosting providers.
So we were super lucky that, you know, through the NCSC in the Netherlands,
they were kind of an intermediary with the kind of Dutch National High Tech Crime Unit.
And once we kind of realized how this was panning out,
the Dutch National High Tech Crime Unit just jumped on this.
And they managed to get hold of this C2 server.
So the actual physical Linux box.
I guess it wasn't bulletproof then, huh?
Well, yeah, this is.
the thing, you know. So they managed to drag hold of it. And I mean, we were super keen to
How do you even, so how does that happen? You convinced the Dutch authorities. So you're just a
company in the UK. You're just like, hey, we make this product. You can't just call up the Dutch
police and say, go get that server. We need it. And then they're like, we're on it. Well, yeah,
I mean, you'd think. But then, you know, luckily or unluckily for us, there were a couple
of Dutch customers affected, you know, by this attack.
So that allowed us to be able to register a crime and then get assistance.
And we did this globally, you know.
We really used all of the resources available to us.
So, you know, this obviously took time.
You know, I think right now this is like three or four days after the attack.
But the NCSC in the Netherlands were incredible.
and the Dutch guys there were just super helpful.
I mean, we wanted a copy of that threat actor device.
Like, I wanted to see that Linux box and understand what they've done.
I mean, obviously, it was evidence now.
It wasn't owned by us.
So we couldn't get a snapshot of it, for example.
But they allowed us to basically, you know, work with them and analyze the box live on a screen share.
so we could actually understand the scale of what had happened, you know.
And we'd seen the threat actor scripts for scanning the devices,
the outputs that they'd taken from the firewall, you know, how they'd set this thing up,
you know, kind of Chinese characters and notes and things throughout the device.
What was actually surprising was that everything was kind of set up manually on the C2 server.
I kind of expected them to deliver the C2 server with some sort of kind of, kind of,
dev ops, pizzars.
But it was just basic.
It was like a Linux box and someone who copied subscripts to it, you know.
But they were amazing.
I mean, the NCSC in the Netherlands just gave us so much help
and really helped us focus where we needed to look
and the kind of scope and scale of all of this.
At the same time, they got control of the domains used by the hackers
and sent all the traffic they were getting to a sinkhole
and logged it all.
It's just fascinating to think that, like,
I don't know, a netgear, a lynxys,
some other commercial product was checking in to sophosfirewallupdate.com.
It kind of, it's almost screams of like, well, you know,
we could be bothered to register this domain for Sophos.
We're not going to bother to register it for these other companies.
Like, we already got the domain.
We're just going to keep using it for these other things.
I couldn't find a single article by Linksys mentioning any of this.
nothing at all. Netgear put out an advisory saying a Chinese threat actor is attacking their products.
However, they say they are not aware of any netgear devices being exploited out in the wild,
which if they don't have any telemetry from their customers' products,
then yeah, of course they're not going to know if any devices are being exploited.
And that's what's challenging me here.
Should the firewall vendor be collecting logs off its customers' devices
in order to better understand what devices are actively being exploited?
Or should that be the responsibility of the customer?
In many organizations, they have their own security logs
and even a team to monitor those logs to look for threats.
But things like Netgear and Linksys are typically home devices,
and it's very rare for people in their own homes
to be monitoring their logs looking for threats.
I looked it up.
Netgear actually does quite a lot of analytic collection
from their customers' devices.
They collect IP addresses, geolocation, how often you use the firewall, what you use the hardware for, what channels your Wi-Fi set to, and what devices are connected to it.
It's surprising with all that analytics collected that they didn't spot a single device being exploited by these threat actors.
And this is what frustrates me.
When my home router is sending all kinds of logs to another company, like what devices are connected to my router?
Really?
I hate that.
I want the devices in my home to be.
be private and not sending tons of data to somewhere without me even knowing.
Because if Netgear has that data, then it's likely a lot of other people have it too.
But then they also registered for the Kill Switch.
They registered Ragnarok from Asgard, right?
And Ragnarok, of course, is the Norse mythology, end of world myth.
And it was fascinating that that was how they used that nomenclature and that language behind it.
because by this point, we already had some folks who were using
Marvel characters, superhero names in their user accounts that they were, you know,
that they were using for downloading these firewalls.
We had a guy who used the handle of T. Stark,
who was involved in some of the exploit development
and had registered a bunch of these virtual firewalls.
And now we're seeing, you know, this is the time frame when the TV series Loki came out
and when the Thor Ragnarok movie had come out as well.
And it's just fascinating to imagine
that these guys who were doing this stuff
saw themselves as some kind of, you know, superheroes
or maybe they just like put themselves in the shoes
of like that maybe they're just, you know,
maybe they're like up there with gods
and that they can, you know, engage in, you know,
a hammer that can throw lightning from a distance at an enemy.
It's just fascinating to think about.
So this is why Sofos called this particular exploit Asnarok, a combination of the words Asgard and Ragnarok.
And all these efforts on their side paid off.
The implant gave them incredible insight into how these attackers were developing their exploits.
And were able to write fixes for the next exploits before the attackers could even launch them,
which is incredible to be in the hackers' machine watching them in order to be one step ahead of them.
Good job, Sophos.
This looks to be a pretty hairy threat actor that you're dealing with.
But little did everyone know.
That was just round one.
We're going to take a quick ad break, but stay with us because round two gets even hairier.
This episode is sponsored by Drada.
Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day.
Balancing security, risk, and compliance in an ever-changing landscape of threats and regulatory frameworks can feel like running a never-ending marathon.
enter drada's agentic trust management platform designed for leaders like you drada automates the tedious tasks security questionnaires responses continuous evidence collection and much more saving you hundreds of hours each year with drada you can spend less time chasing documents and more time solving real security problems with drada you also get access to a powerful trust center a live customizable product that supports you in expediting your never-ending security review requests in the deal process it's perfect for sharing
sharing your security posture with stakeholders or potential customers,
cutting down on the back and forth questions and building trust at every interaction.
Ready to modernize your GRC program and take back your time.
Visit drada.com slash darknet diaries to learn more.
That's drada, spelled DRATA, drata.com slash darknet diaries.
Yeah, so that kind of wraps out round one.
You identified, you fixed, you cleared, you found all the ones that didn't get fixed,
You found it fixed those and took down the whole infrastructure that was doing it.
Done.
That's patched like permanently 100%.
There's nothing that no customer has that's not patched.
We're good.
Yeah.
So everything I've just described to you happened over four days, you know, which is just,
yeah, when you think about it, I mean, it's insane.
It's basically one of the largest, widest instant response operations on Earth.
And we did it in four days.
Wow.
And I still think about it now.
I mean, it's a crazy situation.
But we were lucky with amazing team.
It was, you know, things aligned, you know.
Amazing.
That's got to be one of those four days that is permanently in your head,
like a light bulb experience of work.
A lot of people are being on the show and I say,
tell me about the worst day of your life.
And would you say that that's probably it?
I wouldn't say it was the worst day.
I would probably say it was,
it was an experience, right?
I mean, I remember thinking at the time,
oh, this just can't get any worse, you know,
and every time we'd kind of look at this,
there'd be something else, or, you know,
I remember as these devices were checking into telemetry,
we'd just see the number of affected devices grown.
I remember feeling like just this gut-wrenching feeling of like,
oh, within about, I don't know,
six to eight weeks after the hot fixes were rolled out,
the threat actors had figured out what the hot fix did
to make it impossible for the Ragnarok attack to work
and they had done a workaround.
They had just, you know, bounced their attack around
the thing that the hot fix was able to, you know,
in a very rapid way, cluge together to make it not work.
They cloutes together something that got around that hot fix.
And wham, round two officially begins.
More Sophos firewalls are getting hit with a brand new vulnerability,
one that Sophos had no idea was even possible,
but Sophos was ready.
They even developed a specialized team just to handle this, X-OPS.
So X-Ops jumped on it.
They saw what the vulnerability was,
they wrote a fix for it,
and started immediately trying to patch the firewalls.
The team starts to realize,
oh, we need to give these things names
because if we're going to be having these attacks happen in sequence in short order,
to just keep straight, we need to come up with names.
So they decide to use the names of locations around the Pacific Rim as the code names for these internal attacks.
So they give this attack a nickname Baja.
It doesn't have anything to do with Mexico.
It's just they just decided that they want to talk about it in the sense of, you know, it's on the Pacific Rim,
which is a region of the world where volcanoes and earthquakes happen, right?
So it's a place of turmoil.
So internally, Sopholos realized this attack,
is bigger than a single attack.
This attack is linked to multiple attack campaigns
against their product.
So they called this whole series of incidents
the Pacific Rim campaign.
So what the threat actors figured out
when they were doing this,
the development of this Baja attack,
as they watched Sophos
and they watched how the hot fix mechanism worked.
And they learned how to
develop a new exploit,
also, they started to develop technology and technique to get around hot fixes.
So they figured out how hot fixes were being deployed on firewalls, and they were slowly
starting to turn off features inside the firewall that allow the hot fixes to launch and run
and do their fixing. Now, this time, they're putting just regular old web shells on the firewalls.
A shell is like CLI access to a computer. A web shell,
is having remote CLI access to a computer over the internet.
And what the threat actors did this round
was simply give themselves remote access
to as many SOFOS firewalls as they could.
And this also removed the need for the attackers
to use command and control service
because they could just log in directly to the firewall
whenever they wanted and do whatever they wanted to it,
which again is a huge problem.
You should not allow attackers to enter your firewall on the internet.
This is like the security guard of the building
suddenly being remote controlled by the bad guys.
In June, I mean, we've seen this attack cap and obviously, you know, it was an Apache module issue.
And it was changed as like a local privilege escalation.
So it's basically, again, any device that had a WAN facing web portal could be affected, which was a lot of devices.
The threat actors set up these web shells where they just needed a username and a password to log in.
And so the Sophos team tried to crack that password, but they couldn't for some reason.
Actually, I think we unsuccessfully tried to crack the hash of the password,
but I think eventually we found out that the actual password was Gucci.
Now, which was, we come across this a while later,
because it seemed to be a common password for Chinese three actors to use the word Gucci.
Now, I have no idea why.
you know, we find, I think at the time
there was about 175,
200 devices
that were affected.
Okay, so one thing you want to do in your investigation
is just try to see if there's a commonality
of what firewalls are being exploited like this.
And that might give you a clue as to what might be next
or who's behind this.
So they start looking to see where these firewalls
exists in the world and for which customers.
Yeah, so this one was very much targeted.
You know, the first attack was very much a sprain
prey type attack.
This was specific
devices around the kind of
Asia Pacific area.
I think, you know, like Taiwan,
Pakistan, places like
Philippines, you know, very
much targeted, completely different
to the first attack. And, you know,
we kind of found that, you know,
this one had delivered
payloads that have been used in kind of earlier
attacks as well. So again, you know,
to Linux shell scripts. So we were
able to kind of connect it back to
a specific actor. You know, we obviously seen these specific files and hashes on the device
that we've been tracking and then eventually we see it being used. Now, what was kind of interesting
about the way that they would develop these is that we kind of see them starting to work. Now,
obviously they'd be working through Chinese hours, they work 9 to 5 and, you know, we'd see them
with amazing OPSEC externally, but the OPSEC they had on the
box was atrocious. So they would be, for example, working with crash dumps. And you could set up
the soft as firewall that if you ever had a kernel crash or a crash of any sort, it would email
you the crash logs to your email address. Well, these guys would use their personal email
addresses. So imagine the actual firewalls registered to a completely anonymous person. And then
we have linked email addresses and Gmail addresses inside the firewall telemetry because I guess
it was probably quickest and easiest for them to grab that stuff from their personal mail you know
and it was super easy for us to like OSN exactly who these people were they they start looking
back in time at the telemetry that they collected and they discover that this was another bug that
someone had submitted a bud bounty for and gotten payout on.
And here it is being used in the wild, like just days after the payout happens.
So this is starting to get to be a pattern.
And the attacks are widespread.
People are getting noticed about it.
So I get called in and have to decode how the whole attack works and do another flowchart,
similar to what we did with Astorak to do the Baja attack.
These two names keep showing up again in their analysis of these attacks,
which are G. Big Mau and T. Stark.
These are the people who registered for trial licenses of Sophos firewalls.
They were in China, and the malware would show up on their device first,
which would indicate this is where all this is originating from.
Well, you know, one of the things that we can do.
So you've got this telemetry tool that you can do basically wide,
scale threat hunting within the firewalls themselves.
And so you can do things like, okay, well, we recovered a piece of malware
off of the very first machine that belonged to a customer.
Let's see where else this malware exists on the universe of firewalls that are out there.
And that was how they found T. Stark.
So T. Stark's firewall was the first one where they found a copy of not just the same malware,
but like the binary identical, like the actual same.
file on this guy's firewall.
And he had been there for two months.
So he'd been experimenting with this piece of malware.
While the Astrodrock attack was happening,
he was basically planning the next one.
Like in the middle of us dealing with the aftermath,
they were already developing the exploit
and building out the payload for that attack.
And then the other thing that was really interesting
was that we found a bunch of other stuff
on this T-Star guy's firewall
his firewall had a bunch of malware on it
that was designed to run on the Mac
and on iOS on iPads and iPhones
and there is no conceivable reason
why there would be like a Mac executable
on a inside of a Sophos firewall
there's no reason for that
so that was an interesting find
and we didn't really understand
what that was being used for
why that was there until much later.
Yeah, what was that?
So this all happened in June.
Starting around August, September,
Sophos had started to communicate with other companies in the field,
some of whom did forensic analysis,
you know, post-attack analysis for their customers.
And one of these companies is called Vlexity.
And Vlexity reached out to Sophos because they had a customer
with Sophos firewalls,
and they were called in to do the investigation on the Baja attack,
and they had also discovered MacOS and iOS software in their firewall,
and Vlexity came to Sophos and said, hey, guys, why is this here?
We had no idea.
But it turned out, so Vlexity had figured out that the threat actors
who were dropping these pieces of software on the sofos firewalls
that they were investigating, that the owner,
of those firewalls,
we're operating a
charity that supports
the Uyghur
diaspora.
And the Uyghurs are
an oppressed minority
in China.
They believe in
Islam and they practice their faith,
but they are
strongly discouraged from doing so,
and they've been put in
prison camps, and
you know, it's the story of the Uyghur
is outside of the scope of this podcast,
but the point is that there's really only one organization
that actually cares about these two groups of people,
you know, about surveillance of these two groups of people,
and that is the government of China.
During that time, they kept a close eye on the activity
of G. Big Mao's firewall,
and they would see it would just get infected with a new vulnerability,
which was like the fourth zero-day vulnerability
on the Sophos firewalls.
Zero-day vulnerabilities are ones that Sophos doesn't even know
exist. They've had zero days to fix this, basically. And for me, this is the point where I suddenly
see the scale of all this. The first attack was scary already, but four zero days on a security
device discovered and leveraged by the same threat actor? That is a lot of time and resources
put into finding ways to attack SOFOS products. This isn't just a group of kids or even some kind of
cybercriminal, which is focused on making money, when someone can spend this much resources and time
focusing on getting into a very specific thing
and spend years doing it,
that's typically a nation state behind it.
The skills and patience were so impressive here,
which meant Sophos had a lot of work ahead of them to fix this.
Absolutely.
You can imagine, like, the amount of work that this spins up
and the way that it kind of balloons out of control,
as you discover that more and more pieces of the open source code base,
base that you're using or being
exploited in different ways.
Yeah, who has time for
all of that? Like, if all
you're doing is just fixing these patches,
that could be a full-time job.
But you're also supposed to be building
out a product that has new features
and response to customer
requests and all other things.
So, yeah,
at a certain point,
it just becomes oppressive. Like, the amount of
patching that you have to do in the analysis
involved in that. And, you know, fixing the firewall takes just as much QA. You know, it takes
time to build things that don't break. And these are critical, I don't want to say they're
critical infrastructure, but they're protecting critical infrastructure. Yeah, I mean, in reality,
you know, we're at that point that, you know, the, this office firewall itself needed some
hardening. I mean, that part is fairly clear. There was an internal mission going on.
where data resources may pivot to trying harden certain elements of the operating system
and web portal to really help us.
That web portal, I'll tell you, man, the more ports you have open, the more vulnerable you are.
And if you have a web portal, you're going to have a million different ways to mess with that thing.
You are.
When I was a firewall admin, I was very adamant about zero exposure to the Internet.
No SSH port, no web portal, nothing is allowed.
that the internet should be able to access this firewall.
If you want to get to this firewall,
you have to come at it from the inside.
Exactly.
And I wish every firewall admin acted like you, Jack.
But anyway, we had people who just put the firewall on the internet
and they put the web portal out there.
There was some legitimacy around putting your web portal out there
because you had the admin portal,
which is separate to the web portal.
The web portal was where users picked up SSL profiles
and, you know,
things like that.
I mean, it is wild to think that someone or some team out there is working feverishly
to find vulnerabilities in your product and then to have an implants on their firewall so
you could watch them develop their exploits and the threat actor had no idea there was an
implants on there watching what they were doing.
The Sophos team did a really good job at hiding it, so it'd be really hard for them to notice.
It was really well hidden, you know, so, you know, we did start to get some really good
telemetry and start to know these guys.
And honestly, we were really obsessed with it.
It was almost like obsession ops.
We would just wait for this telemetry to come in
and then we would be all over it.
You know, we'd start to dissect what they were doing,
how they were working.
You know, if they'd add any new IP addresses,
we'd start to OSN to it.
And we'd start to build a picture of who these people were.
There were multiple threat actors
that we were watching at any one time.
And, you know, it's kind of funny because, like,
You know, I often think that, you know, external threat intelligence is very much like, almost like,
astrology, infosec astrology, you know, where people are kind of connecting a technique to a specific threat actor group.
Dude, we had names. We could tie them to companies, you know. And then we could tie it to threat actor group attribution.
You know, it was a really weird situation we were in. We had visibility.
was just unreal. I remember, like, at one point we seen one of the actors searching for a flat.
So we started to work out that, you know, he was looking for a flat. Like, he was a normal dude.
You know, he's going about his everyday life, probably sitting there bored in the lab,
you know, having run the same test 10 times and thinking, like, you know, I'd really need to sort
my housing situation, you know? And we're there, like, building this picture of his life.
And honestly, we were obsessed by it. It really became like obsession ops.
Yeah, because since Craig had control of the firewall, and that
guy's lab, he could essentially see all the traffic going through it, which gave him a unique
look into this person's life. And with these new insights and closely watching everything that was going on,
the Sophos team were able to quickly create fixes for the vulnerabilities to minimize the impact
as best as they could. So with all these vulnerabilities fixed, round two of this battle came to a close.
Sophos had a lot of bruises, but I think they won the battle.
Yeah, I must say for round two, but there's several part.
that is kind of useful.
Number one, round two really validated our use of telemetry.
It was the first time that we'd really used our implant.
The other aspect to this as well is we'd become really adept at finding these
three actor devices.
So we started to work out that obviously we'd identified this actor called G Big Mow.
But all in all, we were dealing with about seven different actors that we could see.
You know, some of them were doing the same thing, but in different,
locations. So we kind of worked out quite quickly that they're working for individual Chinese
defense contractors because when you think about like a government department, they're not going
to duplicate the same work because effectively it's all the same people working where a defense
contractor, everything is valuable to them. If they're the first to an exploit, that's super
valuable. So what we found then is we found these multiple companies. And one of the simplest ways
we actually found it, funnily enough, and this sounds so basic.
is that we would look at devices
that would be continually going up and down
firmware versions.
And these
direct-actor devices would constantly
like putting the new lace firmware on,
roll it back, new firmware, roll it back.
And they'd do this like, I know, maybe five or six times a day.
Whereas like normal firewall operation,
it's like, it's a new firmware and it's left.
And then in a month it gets new firmware and then it's left.
So these things just,
stood out like a sore thumb. So it suddenly became really easy to find these threat actors,
you know. The more telemetry we had, the easier it got, you know. And we started to really
build a wide assortment of threat actors in China, the locations they had, and of course,
you know, they're honestly piss-poor obsec that they had on the device itself just allowed us to start
building up really quite wide profiles on them. And over this period, we would start to like really
get an idea of how they were targeting things. And it was very much like seeing them do something,
build an attack, know that this was coming and having to wait for it to be deployed, you know.
I mean, if we went and pre-patch the devices continually, they would have noticed, they would know
that the game was up, you know? So we kind of waited to understand what was happening, would wait for
the first indication of deployment of whatever they were doing. I kind of run the first indication of deployment of whatever they were doing.
I kind of run and patch it almost immediately, you know?
So we had probably one of the craziest, like, forward-going threat intelligence.
Oh, that's crazy.
Threat intelligence is simply the understanding of what threats you will face or have faced.
This is why I think it's really great having records of all attacks that your company has ever seen,
because it's incredibly valuable at helping you defend against future attacks.
But in Sophos' case, they knew exactly what threat was coming next,
and were 100% prepared for it the moment it would be seen.
That's really slick.
That's threat intelligence that's on a whole new level.
But even after two huge rounds of attacks against Sophos firewalls
and discovering four zero-day exploits on them, the war wasn't over.
The threat actors continued to develop more and more exploits for Sophos firewalls.
Yeah, over time, the threat actors were increasingly,
they were targeting specific organizations or specific groups.
They identified who all of the customers were in those early attacks
because they smacked all of the firewalls at once and grabbed some data.
Oh my gosh, I didn't even think of that.
So if we back up and look at the way all this has progressed.
First, they hacked into CyberRome only to get the source code for Sophos firewalls,
which gave them inside information to basically bug hunt.
Then they infected 80,000 Sophos firewalls with malware,
taking all their configurations and information.
about the firewall itself, and then combed through that, looking to see what targets are
interesting to them, and now they're being super precise about who they're hitting.
This campaign keeps evolving.
From 2021 onwards, it really pivoted towards a very short focus to discriminate attacks, you know,
really highly targeted hands-on keyboard attacks against specific entities.
So, for example, government agencies, critical infrastructure.
research and development organizations,
healthcare providers,
everything from kind of retail
through to military, even finance, you know?
And again, all focused in the APAC region.
Jeez, what a nightmare.
I cannot imagine all these places
getting hacked into through my security device.
All these companies bought SOFELS firewalls to protect themselves.
And it was that very firewall
which allowed Chinese hackers in.
At some point, did you reach out to some of
victims to say, hey, I think Chinese government is attacking you.
So that's one thing we did really extensively. Well, two things. One is we'd reach out to the
customer. And again, this was part of our philosophy of making sure that, you know, there's no further
damage or no hurt. And as well, we would reach out to either the localized law enforcement
or if we had great ties to the local, you know, cert or NCSE or whoever the local cyber authority was.
Now, in the UK, we had some amazing connections in the NCSE,
and they would help us facilitate these connections out to all sorts of certs and bodies.
And, you know, they were incredibly supportive of us.
Yeah, I mean, what's that call like to call up a government, a foreign government?
I know you're just talking to the cis admin there, but still like, hey, you guys are getting hacked.
It's pretty strange, you know, and not only that when we sit there, you know, obviously through translation very often,
explaining what we've seen and what happened and who we attribute it to, it's a very strange experience, you know.
Also, not as strange as calling up another firewall provider telling them that their box is being tooled over by a Chinese threat actor and them ask us, well,
How do you know?
And not really being able to tell them how we know and why we know, but we definitively know.
That's a bit of a weird experience also.
At some point, CyberOme gets hacked into again.
Well, it turns out that the CyberRome code is the predecessor to the XG firewall code.
So CyberRome was the company that Surface bought and their product became the XG firewall.
So back in 2018, we're talking about how the threat actors had stolen the source code.
They were using some of that still to find additional vulnerabilities.
And they found a vulnerability.
At this point, CyberRome and the XG Firewall were in parallel operating,
but CyberRome was about to be phased out.
It was about to be end of life.
And the threat actors found a vulnerability that allowed them to create an admin-level account
on the box with just a sequel injection.
query that was pre-authentication.
So they could just hit the SQL server that was running on the firewall from the outside
and run a command that was able to get it to add a user with admin access.
And then they could log in on any cyber room firewall that they wanted to with that credential.
And there was no easy fix for it.
And because the product was close to end of life,
so if it just decided to rush it to end of life and get everybody who was running,
a CyberRome firewall to upgrade to the latest XG and put that one to bed because it was it was the point where
if we had to start you know tracking attack against CyberRome and XG firewalls that would have taken the
entire like all of the entire team's resources all the time at a certain point it just made better
sense to end of life the product early it does make me think though if they were trying to get
into Cyber Room to get source code,
they were probably trying to get into
Sophos' network as well, trying to get
source code. I mean, yeah,
that's an interesting thing to
hypothesize about, but I
have no idea about that.
You should say, no, the Sophos firewalls
are so good that they're blocked those guys.
Don't worry.
Well, I don't work there anymore,
so I don't have to defend them, but, like,
I do think that, you know,
Sophos did have, it did seem to have,
better security practices than cyber room did.
So after the threat actors found an exploit in the cyberrome product,
and we're actively exploiting that,
Sophos just decided to kill that product altogether.
Now, Andrew tells us it's because it was already on its way of being killed,
but I don't want to diminish the idea that a cyber attack can have the effect of killing an entire product line.
That's a pretty big deal, if you ask me.
Anyway, somehow the French authorities investigated the cyber Rome intrusion
and publicly announced that the attack was carried out by APT 31,
which is a Chinese state-sponsored hacker group.
So yeah, if it wasn't clear by now, it should be.
The Chinese government and military are the ones who are behind this attack campaign
known as Pacific Rim, which has been going on for years at this point.
We started to see these actors working on more and more attack types,
especially T. Stark, you know, we found him working on like a,
rootkit at the time. It was called Libxseleinix.s.o. And we managed to capture it from his device.
And it was like a customized user land route kit. So that was actually a real win for us.
I remember feeling like, okay, yeah, we've really got a great view of what's happening on these
devices here now. Now, we managed to grab these devices from the T-start device. But like a week
later then he's got a completely new
like
injection there like a new vulnerability
in web assembly and it's kind of unknown to us
and effectively what he was doing was
he was in this web assembly
vulnerability he was injecting like an eye
frame into the proxy as things
move through there and we found that
this thing like I think
about two weeks or so after we found it
had actually been deployed in Tibet.
Now,
this was,
we found this on this device in Tibet
for an organization
that was basically providing
support to Tibetan exiles.
So, you know, he basically
moved from 10 days to deployment.
Yeah, and I can't remember which,
I don't know who said it.
I feel like a president said something like,
you know, a business isn't going to be able
to take fire.
from like a Scud missile or rocket launch.
And so we can't expect them to be able to take on attacks,
cyber attacks from nation-state actors as well.
And at this point, you're starting to feel confident
that this is a nation-state attack on your company.
And at this point, there's five or six different zero days
that they've discovered on you.
I mean, that's got to be some of the most heart-wrenching,
gut-sinking feelings to say,
okay, I don't know how we're going to ever stop this attack.
This might go on forever.
Like, what is your response to this mentally?
Honestly, I remember at that point just feeling exhausted, you know.
Like, this has been months and months and months of us fighting these,
you know, what is effectively the PLA, you know,
for all intents and purposes.
And the truth is, like, who else helps these organizations?
That organization, Tibet,
had nowhere near enough resource to be able to deal with this.
They were lucky that Vlexity had been doing some pro bono work there.
We'd reached out and helped them as well.
But in reality, like, if it hadn't been for our graces,
they would have been stuck.
And it really comes down to this weird intersection on the internet of lawlessness.
Like, there's just so many areas that just are not covered with anyone.
I mean, the UK, you know, we have the serious organised crimes unit.
and we have the NCSE who protects us in the US,
have the FBI and the NSA.
And, you know, many countries just don't have anything.
And this is the part that actually surprised me the most.
Like, who do these people call to?
You know, we felt like heroes, but in reality, like, who are we to deal with this?
You know, we're kind of woefully underqualified to deal with a threat actor at that level.
You know, I mean, this felt like almost a military operation.
Yeah.
Suddenly your war room doesn't feel so up to snuff, right?
You're like, man, we're nowhere compared to their war room.
Exactly, like, you know?
And I think that's what surprised me is like we were really on the age of like
what is effectively cyber warfare.
And it started to really tip into that feeling with this.
But it was certainly interesting.
And, you know, as a whole, you know, seeing that payload being delirreuxing.
delivered there in understanding the purpose why they delivered the payload, having seen it being
built on a device in Shandu like 10 days, two weeks previously, it was just one of those crazy
moments of like, oh my God, like we really see this soup to nuts.
Now when Sophos would issue a hot fix or patch their firewalls, they would tell their customer
what the update was for, like bug fixes for several security vulnerabilities to learn more
visit our knowledge base.
But Sophos discovered that the threat actors, T. Stark and G. Big Mal,
were also accessing Sophos's site, logging in and reading the knowledge-based articles too to see what got patched.
And they were reading exactly what Sophos had fixed and then developed exploits to get around those patches.
So the Sophos team had to get increasingly vague with what got fixed to avoid giving the enemy information.
And I suppose that's a form of counterintelligence, being very careful what information you give your enemy.
but it kind of contradicts what I said earlier about don't be evil, right?
If you're not being transparent and you're hiding what it is you're doing,
then you might be evil.
But in this case, they had to hide it because they didn't want their enemies to know this.
This is so difficult to navigate.
And at that point, the threat actors understood how the hot fixes were working
and what telemetry Sophos was collecting off these firewalls,
and so they developed an exploit to disable the hot fixes
and to stop the telemetry from going back to Sophos
to detect which devices were infected.
And they took extra steps to hide their presence.
The threat actors are developing exploits
and they're developing malware
and they're coming up with new techniques
for breaking into firewalls.
And the implant is revealing all of that stuff
to the security team.
So behind the scenes, the security team
is rushing into production hot fixes
and patches for the operating system
that fix these.
vulnerabilities before the threat actor even knows.
And because they have this ability to send the hot fixes,
you know, not necessarily to every machine, but maybe to every firewall,
except the ones that the threat actors are using,
they can fix the whole universe of firewalls except for the ones that the threat
actor is using.
And I think after you've tried to deploy your second or third or fourth attack and it just
doesn't work and you're scratching your head because it works in the lab, look, I can show you
it. I demonstrated it to these guys in the higher-ups at the company or whoever is telling me to do this
attack that it works. But in the wild, it suddenly doesn't work. I think after two or three times
of shooting blanks, you're going to start to wonder like, hey, is there something else going on?
And they started to look at, well, what is this information, what's a firewall collecting about us?
And are we inadvertently revealing as bad guys to the good guys what we were about to do?
So, yeah, so they start looking at telemetry.
They start looking at log collection and process lists.
And they're trying to build out the capabilities to be stealthy.
It's maybe distracting them from building custom malware or development.
developing new exploits, but they have to spend a little bit of energy on, you know, it puts them on the back foot.
And for the first time, I think this is like one of the cases where you can say, yeah, there was some challenges and we had some bad days early on.
But we're forcing the threat actors to have to make moves to counter us. And actually, that feels pretty good.
This story just goes on and on. There was another root kit found. There's a root kit number four.
Libsofos.S.O.
Yeah.
So Libsofos was the very custom root kit.
It was able to, and again, yeah, deleting logs, hiding its presence on the machine,
trying to do everything as stealthy as possible, low volume of outbound communication and persistence.
They're experimenting with everything.
And it seems to me that the threat actors have been given carte blanche to just try an experiment with all sorts of different things.
So during this period from late 2020 to the end of 2022, we're seeing a huge variety of different payloads, of exploits.
It's bad.
It's bad out there.
It's kind of like the Wild West, and you never know where something's going to.
come from. At some point, they saw the threat actor was trying to develop a Ufi boot kit.
This is malware, which infects the firewall at the BIOS before the operating system, even has a chance to boot up.
You know, if you can get a boot kit into the UFE BIOS of a device, there's nothing that you can do in the, you know, user land of the operating system to remove it.
because it's running at a level beyond which the operating system cannot reach.
Yeah, a boot kit like this would remain on the system,
even if you deleted everything and reinstalled the entire operating system again,
since it lives in the part of the computer which loads before the operating system loads.
This was actually kind of scary to find this experimentation happening on one of the threat actor devices.
They were really trying to figure out if they could get this boot kit to run on a firewall.
and they ended up bricking the firewall.
It didn't work.
And after we discovered what they were trying to do,
the Sophos engineers figured out how to, you know,
change the firmware on the firewall at that low level
so that it wasn't able to run.
And they implemented that in an update.
But that's the scariest thing on all of this.
I think the UFE boot kit malware on a firewall,
is the Holy Grail.
It's where you've got malware on a firewall.
It can't be removed.
The firewall has to be thrown in the trash.
It's scary.
And we've already seen that there's been other firewall vendors
where their recommendation was
unplug this box and put it in the trash
because it is not safe to use anymore.
So it makes me wonder,
because we never get the details from other reports.
about what happened, whether this was successful with other vendors,
and whether they were testing this with us and it just failed because we were watching them
and stuck a wrench in the works just at the right moment and made it too much of a pain in the butt
for them to keep trying, and they just moved on to the next guy.
This was very much the kind of end of my involvement in this,
because I actually left Sophos at this time and went to work for.
for the company I'm currently working for now, you know.
But I mean, from that point, I kept in really close contact
with my colleagues who were there.
And we were sharing intel as things progressed, you know.
But I mean, there were kind of two further published engagements,
basically one in May of 2023 and then one in March of 2024.
And then it kind of came to head, you know.
which actually
was kind of disappointing a sense
for me because I think
very often that this stuff
hasn't stopped
I mean the devices are significantly more secure now
software's putting an
an ordinary amount of time effort
and money into hardening the devices
I would actually hazard to say
that they're probably the one for a global company
that actually is secure now
you know
in all seriousness
though, it's, you know, I think it's one of those aspects of, you know, you learn from your mistakes.
I mean, soft as being incredibly open and clear about this. I mean, kudos to them. I mean, you know,
being open about it and, you know, publishing your mistakes and also, you know, publishing what we did
and how we work through this is super unique, you know, and you don't see any other Ferwell company
talking about this. And we know for sure that this stuff was happening across a multitude of other
devices. The tree says it's probably happening right now to some other firewall providers.
We just, they just don't know. They don't collect telemetry. They don't have the hot fix
mechanism that allows them to forward-defend you. And yeah, it's an issue. It's still an issue.
One of the actors involved in all of this, we talked about him earlier, his name is, you know,
use the handle G-BigNow, that we eventually figured out his real name. You have the pictures of him.
and the guy appears on the FBI's Ten Most Wanted list today.
His name is Guan Tian Feng,
and he was the researcher at this company called Sichuan Secret...
Silence Technology Company.
Yeah, Sisuan Silence Technology Company Limited, right?
So this guy made it his career to break into firewalls and firewals
and find vulnerabilities
and then pass them off
to people who would take advantage of them.
And for all of his efforts,
he's in his early 30s,
he has a $10 million rewards
for justice bounty on his head,
and he can never travel
outside of a non-extradition
country in the world
ever again without fearing
for arrest and extradition
to the United States.
And it just makes me wonder
if it really was worth it to him.
Because in many respects,
it seems like a nice guy.
At one point, he had his heart in the right place.
So, G. Big Mau, in his early days of working in this field,
used to post on message boards
trying to get firewall companies to fix their stuff.
I can't imagine what happened to turn him,
to make him break back.
in this way. It actually says in the FBI's Cyber's Most Wanted poster that this guy hacked into
80,000 Sophos firewalls. And just because I'm curious, I took a look at a few dozen other FBI
Cyber's Most Wanted posters, and strangely, I don't see any other person listed for hacking into
other security vendors. So again, hats off for Sophos for taking the Strat Actors so seriously
and getting them on FBI's Cyber's Most Wanted list.
The story, as we published it, finishes in 2024, not because the attacks stopped,
but because at a certain point you just got to put a pin in it and say,
we're going to stop here because if we keep talking about this, it never ends
because the attacks have continued ever since.
Nothing has stopped.
And if there's anything to be said about this is that the cadence has picked up,
it has broadened its scope.
We're seeing every security company in the industry
in various ways targeted in very similar ways.
A big thank you to Andrew Brandt and Craig Jones
for coming on the show and telling us this incredible story
of how Sophos got targeted by a Chinese state-sponsored threat actor.
This story is dang scary to be,
since the plankfield is so unfair.
A single company versus a superpower like China.
And not only that, a superpower that's lawless and feels absolutely no shame from breaking the law.
You'd think that after their main guy was arrested by the FBI, they'd pull back and maybe apologize.
But no, they increase their efforts and are hitting harder than ever against so many security vendors too.
Hey, I really want you to become a premium subscriber to Dark Night Diaries.
All I'm asking is for you to buy me a cup of coffee once a month.
This is my full-time job.
This is how I make a living.
If I suddenly stop making this show, would you be sad?
If so, then you probably find it valuable.
And I hope you support things that you find valuable.
If you become a premium subscriber, you get ad-free episodes, bonus episodes.
And coming up later this year is a new podcast I'll be releasing,
and you'll be the first to listen to it,
because it'll only be available to premium subscribers for a while.
So please visit plus.
Darknet Diaries.com to support the show.
Thanks.
This episode is created by me, the lead firewall offender, Jack Recyter.
Our editor is the port knocker, Tristan Ledger.
Mixing done by proximity sound, and our intro music is by the mysterious breakmaster cylinder.
I named my firewall linebacker because it's great at blocking and tackling.
This is Darknet Diaries.