Cybersecurity & Tech

Sophos's Five-Year-Long Cyber Knife Fight With Chinese APTs

Tom Uren
Friday, November 8, 2024, 8:00 AM
The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Sophos’s Five-Year-Long Cyber Knife Fight With Chinese APTs

Cybersecurity firm Sophos’s counterintelligence efforts against malicious actors targeting its firewall products will set new standards for acceptable and desirable behavior from vendors. Last week, Sophos released details of an evolving, five-year effort to counter China-based groups targeting its firewalls. The report details the cut and thrust between Sophos and a loose collection of Chinese hacking groups, and how each responded and adapted to the others’ actions.

The saga started in 2018 with the compromise of a computer driving a wall-mounted display at Cyberoam, an Indian subsidiary of Sophos. This breach appeared mundane, but pulling on the string revealed that the actor had compromised other machines on Cyberoam’s network with a sophisticated rootkit. Wired reports that “in retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.”

Sophos’s response to this incident was fairly standard, but it upped the ante in April 2020, after what it called the “Asnarök” trojan attacks. These attacks marked the beginning of what turned out to be multiple campaigns through much of 2022 to build a botnet from compromised firewall devices. After discovering this attack, Sophos pushed out a hotfix that, in addition to patching firewalls and removing the Asnarök malware, increased the volume and variety of telemetry collected by its devices. Crucially, the security firm used this extra telemetry data to identify a single device that the hacking groups had used in February to test their exploits, well before the attack proper was discovered.

Trial registration data was used to identify multiple associated devices, and Sophos said “telemetry from these devices showed command line access and usage consistent with vulnerability research and exploit development.”

In late April 2020, Sophos started working on “forward deployment tooling,” “a specialized kernel implant to deploy to devices that [the vendor] was highly confident were controlled by groups conducting malicious exploit research. The tool allowed for remote file and log collection without any visible userland artifacts.”

Sophos deployed this implant to adversary-controlled test devices to observe exploit development and testing as it was taking place. The firm used this information to understand vulnerabilities and remediate them before they were widely exploited. It was also able to retrieve malware, including a UEFI bootkit and write detections, before the malware was deployed in the wild.

Of course, Sophos wasn’t acting unopposed, and the Chinese groups were also upping their game over time. For example, these groups deployed scripts to disable automatic hotfix updates and improved their operational security over time to become more targeted and stealthier, and they took steps to prevent Sophos’s collection of firewall telemetry.

Ross McKerchar, Sophos’s chief information security officer, told Risky Business host Patrick Gray that the company knew Chinese exploit developers were monitoring its hotfixes. Accordingly, Sophos was “very careful” about changes to avoid tipping them off. For one hotfix, this involved obfuscating its intent by also fixing several unrelated low-severity issues—providing a “cover story” for the patch, if you will.

Deploying a kernel implant has been controversial in some quarters, but McKerchar said Sophos limited its activities to specific devices and was careful to operate within tight constraints. Without going into details, he said the end user license agreement was “certainly part of ” getting the go-ahead from legal counsel, and he noted that Sophos was “working with law enforcement at the time.” He later mentioned that cybersecurity authorities such as the U.K. National Cyber Security Centre and the U.S. National Security Agency had been “incredibly supportive and helpful throughout this.”

When it comes to this kind of threat hunting, McKerchar suspected that Sophos “was ahead in this area” compared to other network device vendors, for a couple of reasons. In addition to selling firewalls, Sophos is an EDR (endpoint detection and response) vendor, and the techniques the company used in this investigation, such as collecting and analyzing telemetry for threat intelligence, are bread and butter for EDR companies. There are not many companies that straddle both markets. Sophos’s mid-market focus also meant that its customers were more likely to accept hotfixes and keep telemetry turned on.

McKerchar’s view was that Sophos’s actions had significantly reduced harm to its customer base. Whereas previous waves of attacks had affected tens of thousands of customers, Sophos was able to preemptively limit or even shut down the hacking groups’ opportunities.

His motivation in disclosing Sophos’s activities and talking explicitly about a kernel implant rather than, say, “enhanced telemetry collection,” is to encourage other vendors to consider taking similar action. He believes that, on balance, the benefits to customers outweigh potential risks to customers’ privacy or data.

The other side of the equation here is the behavior of Chinese actors. In recent years, they have become increasingly aggressive and directly imposed significant costs on information technology organizations. Consider, for example, the mass exploitation of Microsoft Exchange servers in 2021 that was exacerbated by criminals exploiting unsecured webshells. Or the compromise in 2023 of Barracuda email security gateways, in which Chinese actors dug in so deep that Barracuda recommended its appliances be junked.

There are no settled norms of behavior in cyberspace, and adversaries’ strategies and actions continue to evolve. Defenders should run to keep up, rather than observe standards that were appropriate for a threat environment that has long since disappeared. Don’t bring a banana to a knife fight, in other words.

Snowflake Hacker Suspect Arrested in Canada

The man allegedly responsible for breaching multiple Snowflake cloud database accounts, Alexander Moucka, aka Connor Riley Moucka, has been arrested in Canada (as reported by Bloomberg and 404 Media). This is good news, but retracing Moucka’s actions shows that the cybercrime ecosystem has evolved such that high-impact breaches are now so easy to carry out, they feel inevitable.

Security firm Intel471 and Krebs on Security have good reports on the activities of the online personas allegedly associated with Moucka.

According to Intel471, one of the accounts allegedly associated with Moucka, ellyel8, was active in criminal communities on Telegram. Per Intel471:

The ellyel8 persona has been active on Telegram since December 2022 and demonstrated knowledge of actors and researchers engaged in Com investigations [Ed: The Com is an online cybercrime community active on Discord and Telegram]. The actor was a member of more than 25 Telegram channels and groups, authoring more than 1,400 posts from 2023 to 2024. The groups and channels are associated with adult content, leaked datasets, malware logs and subscriber identity module (SIM) card-swapping. On chat channels, ellyel8 made unverifiable claims of data breaches and intrusions and was often unable to provide proof to back up claims. This tendency, which is a common trait among underground threat actors, somewhat clouded the initial picture surrounding the Snowflake-related breaches. However, the actor appeared to be skilled in mounting attacks centered on the compromise of authentication credentials, allowing the actor entry into systems in search of high-value data stores for exfiltration... 
The actor ellyel8 has been a key figure within Telegram channels and groups, including Star Sanctuary and Star Chat — also known as the Star Fraud Telegram group — which collectively is one of the biggest SIM-swapping communities operating on Telegram since August 2022.

Attackers carried out the breaches all too easily. The persons responsible acquired credentials for Snowflake accounts that were likely stolen by infostealer malware such as RedLine or META. These credentials can be purchased on underground markets or on Telegram, and the victim companies had not configured their Snowflake accounts with multi-factor authentication. Wired has a deep dive into infostealer malware this week.

There is some good news here. Last week, Operation Magnus, an international law enforcement effort, disrupted the operations of the RedLine and META infostealers. Officials seized servers in the Netherlands, took control of two domain names, and arrested two individuals in Belgium. Risky Business News has further coverage.

The Impact of China’s U.S. Telecommunications Hack Is Still Muddy

We continue to learn more about China’s penetration of U.S. telecommunications networks. The Wall Street Journal writes:

Hackers linked to Chinese intelligence used precision strikes to quietly compromise cellphone lines used by an array of senior national security and policy officials across the U.S. government in addition to politicians, according to people familiar with the matter.
This access allowed them to scoop up call logs, unencrypted texts and some audio from potentially thousands of Americans and others with whom they interacted.

The article’s headline describes this as “vast spying,” but we are not so sure. We’re more worried about the hackers identifying U.S. counterintelligence targets, as we wrote about in early October. That would have immediate and longer-term national security impacts.

As an aside, it is interesting to see that, per Risky Business News:

The Dutch government has fined Vodafone €2.25 million (USD$2.45 million) for failing to secure its phone wiretapping system. The company failed to screen staff, failed to have staff sign confidentiality agreements, and failed to implement logical and physical security systems. The fine was imposed for an investigation that started in 2021 and is not related to China’s hack of US telco wiretapping systems.

It is good that the Cyber Safety Review Board will examine the breaches.

Three Reasons to Be Cheerful This Week:

  1. REvil ransomware members convicted: In Russia, four members of the REvil ransomware gang were sentenced to between four and a half and six years in prison. It is the first time Russian authorities have sentenced members of a large ransomware operation. The four were arrested in January 2022, prior to Russia’s invasion of Ukraine. Risky Business News has more coverage.
  2. Thirty disruption operations in 2024: The FBI says it has conducted more than 30 ransomware disruption operations this year. Cynthia Kaiser, the deputy assistant director of the FBI’s Cyber Division, said these operations had sometimes discouraged gangs from targeting the U.S. More coverage in CyberScoop.
  3. Fewer bad things on the internet: An Interpol operation, Synergia II, has resulted in 41 arrests and the takedown of over 22,000 malicious IP addresses and over a thousand servers. The operation was targeted at infostealers and phishing and ransomware operations.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq discuss what the Russian state gains and loses from hosting a ransomware ecosystem.

From Risky Biz News:

Windows to get a new admin protection system: Microsoft will add a new security system to Windows 11 that will protect admin accounts when they perform highly privileged and sensitive actions. Named Admin Protection, the system is currently being tested in Windows 11 canary builds. The new feature works by taking all the elevated privileges an admin needs and putting them into a separate super admin account that’s—most of the time—disabled and locked away inside the core of the operating system.

The mystery at Mango Park, and the Cambodian government’s shady reaction: Something is rotten in the state of Cambodia, according to an increasing number of reports that cyber scam compound operators are now receiving protection from local police and government officials. The perfect example of this new reality is the incident surrounding the recent “arrests” at Mango Park, a cyber scam compound in the country’s Kampong Speu province.

U.S. removes Sandvine from sanctions list after pinky promise: The U.S. Department of Commerce has removed surveillance gear maker Sandvine from its list of sanctioned entities after the company put out a public statement and promised to exit autocratic countries. The Canadian company said it had stopped operating in 32 countries already and was planning to exit another 24 by April 2025. Sandvine also changed its CEO, created a Human Rights Subcommittee, and promised to dedicate 1 percent of its profits to protect internet freedom and digital rights.


Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare