Cybersecurity & Tech

The ‘Pacific Rim’ Campaign: Corporate Norm Entrepreneurship and Active Cyber Defense

Michael Genkin, Joe Devanny
Tuesday, March 18, 2025, 9:49 AM
Sophos’s account of its recent active cyber defense campaign can help shape norms of “responsible behavior” in cyberspace.
A glowing shield floats above a stylized circuitboard. (https://stockcake.com/i/digital-shield-glows_1510799_1170196, Public Domain).
Meet The Authors

Published by The Lawfare Institute
in Cooperation With
Brookings

Subscribe to Lawfare

Accountability and responsibility are important topics in debates about cybersecurity. While policymakers and analysts often focus on state actors and what qualifies as “responsible state behavior in cyberspace,” private companies, especially those specializing in aspects of cybersecurity, are also engaged in a debate about what constitutes responsible behavior.

Cybersecurity companies face acute dilemmas as they navigate the permissible limits of active defense (often called “hacking back”) against adversaries in cyberspace, and those that manufacture network firewall devices are no exception. Network firewall devices aim to prevent dangerous traffic from entering, spreading, or leaving the networks they protect. Unfortunately, these devices are often targeted by cyber threat actors as a means of gaining access to the very networks they are intended to protect. This can be a lucrative endeavor because firewall devices often form a convenient operating environment, owing not only to their position on the edge of networks but also to a lack of inspection ability and often surprisingly poor security.

Recently, one such company, Sophos, a developer of enterprise endpoint protection software and network firewall devices, chose to disclose a four-year campaign it executed against a set of entities that targeted its customers by exploiting the network firewall devices it produced. It did so in a self-proclaimed effort to advance the discussion around the accountability and responsibility to consumers and to the wider cyber ecosystem, that is expected of private-sector companies, especially those developing so-called edge devices (for example, firewalls, routers, email servers, network-attached cameras, and storage devices). A further, more subtle goal, claimed by Sophos’s chief information security officer, Ross McKerchar, was to start a dialogue about private-sector norms of active cyber defense.

Thanks to the commendable transparency of Sophos’s disclosure of its “Pacific Rim” campaign, it presents an interesting case study to advance the discussion of the role of cybersecurity companies in both improving understanding and providing frameworks for shaping accountable and responsible active cyber defense. The active defense campaign hews to the standards proposed for state actors and, because countries cannot as easily disclose their actions, provides a model for responsible active defense. The campaign was not just responsible; it was also effective, and so it offers important lessons for responding to threat actors.

The Pacific Rim Campaign

In early 2020, Sophos X-Ops, the company’s team dedicated to identifying and responding to cyber threats, discovered a mass exploitation incident, dubbed Asnarök, targeting its firewall devices. As part of the response to this incident, Sophos decided to increase its collection of technical information (telemetry) from its firewalls. From this data, Sophos X-Ops homed in on a device that seemed to be the “patient zero” used for developing the malware and exploits used during the incident. This discovery kickstarted a four-year campaign, dubbed “Pacific Rim,” in which Sophos continually improved its data collection to identify devices affected by the threat activity and culminated with the deployment of a “kernel implant” to some of these devices that allowed Sophos to acquire novel threat-actor-developed malware and preempt its deployment.

In a sense, none of these tactics is new. Antivirus (AV) or endpoint detection and response (EDR) agent telemetry, sometimes specifically tuned, has been employed previously to gain insight into threat-actor activity, acquire their tooling, and even deploy preemptive defenses—as well as more active measures. However, Sophos’s recent disclosure was viewed as exceptional even by cybersecurity industry veterans, to the point of stirring some controversy.

There are three reasons why Pacific Rim was viewed as controversial within the field. First, most previous instances of these practices and tactics involved the use of data from endpoint software deliberately installed by its users (or an authorized representative thereof) rather than the device vendor itself, or involved actions undertaken by cybersecurity researchers against threat-actor infrastructure. Both might be seen as significantly different from acquiring telemetry directly from network security devices.

However, the Sophos case is not unique. During the May 2023 incident involving exploitation of Barracuda Networks Email Security Gateway (ESG) devices, Barracuda used telemetry from its ESG devices to identify a threat actor exploiting a vulnerability in those devices, subsequently alerting customers and issuing hotfixes to patch the vulnerability and remove the malware. In that incident, though, Barracuda was far less transparent than Sophos about its actions.

This brings about the second reason for controversy in the Sophos case. Sophos chose to act with an unusual, even extreme, transparency in detailing Pacific Rim. It described the campaign in functionally precise terms, describing the code it deployed to devices suspected to be under threat-actor control as a “kernel implant”—instead of a more common and more ambiguous phrase, such as “enhanced telemetry.” This was a bold choice of language that avoided the usual euphemisms that cybersecurity companies often use in describing these tactics, a choice mirroring the assertiveness of the campaign itself.

Finally, some of the controversy might stem simply from the lack of public discussion and documented examples about the measures used by cybersecurity companies to counter threat actors, which makes Pacific Rim surprising in its content and in Sophos’s transparency about what it did.

The significance, unique scope, and transparency with which Sophos reported its Pacific Rim campaign justifies the commotion, making it a useful case to illuminate the challenge of countering cyber operations, irrespective of whether those campaigns are conducted by states or private actors.

"Pacific Rim" and the Principles of Responsible Offensive Cyber Operations

An important way to assess Pacific Rim is to consider how Sophos seems to have applied existing principles that norm entrepreneurs have advocated for responsible offensive cyber operations. Sophos’s account of Pacific Rim is itself part of this effort to clarify the principles of responsible offensive cyber operation. In an opinion piece accompanying the disclosure, McKerchar shared the guiding principles behind the campaign. He argued that increasing adversary costs by “burn[ing]” their capabilities is imperative for cybersecurity vendors. In this context, firewall appliances can be seen as an opportunity for their vendors to exploit “home-field advantage.” McKerchar emphasized that it is possible to respect privacy concerns while also improving the quantity and quality of information collected from the devices. He also argued that it was necessary for the industry to embrace the principle that hotfixes and end-of-life status for firewalls are non-optional. As McKerchar put it, if a firewall “is not just dead, but actively undead and dangerous,” this should be seen as an unacceptable state of affairs. Cybersecurity vendors must, therefore, retain the ability to protect their consumers’ security and, in doing so, uphold the common good of the wider internet. Finally, McKerchar noted that Pacific Rim owed its success to internal “blue-red” (defensive and offensive security teams) collaboration and external public-private partnerships. Similar lessons are also highlighted in a separate call for action, authored by Sophos CEO Joe Levy, which echoes McKerchar’s emphasis on the need for more transparency, accountability, and liability, and the reappropriation of incentives for phasing out end-of-life products.

Interestingly, the language used by both Levy and McKerchar is reminiscent of the “Accountable, Precise, Calibrated” language used by the U.K. government’s National Cyber Force in its groundbreaking 2023 paper “Responsible Cyber Power in Practice.” In an interview with Patrick Gray, McKerchar elaborated on this, alluding to the conceptual guidance provided by the U.K. National Cyber Security Center’s framework for software vendor responsibility and accountability. Based on the premise that Sophos’s actions were based on the principle of accountability, McKerchar presents an even more far-reaching approach.

In the context of private-sector counter-cyber operations, accountability requires three pillars: consumer accountability, legal accountability, and accountability in terms of wider public understanding of a company’s actions. The first pillar requires a company’s commitment to protect and minimize harm to consumers (and the wider internet) by taking preemptive action against adversaries. For the second pillar, accountability comes through ensuring that preemptive actions are legally grounded in every jurisdiction that is implicated in the operation. Finally, accountability in the wider public sphere comes from transparent communication explaining what vendors are doing and why.

This last principle, of the role of communications in enhancing accountability, includes the use of unambiguous language like “kernel implant” in lieu of the functionally equivalent “kernel telemetry,” which is more palatable but also less accurate as to the company’s intent. In addition to accountability, calibration and precision are also important. Sophos’s X-Ops demonstrated precision in its operational conduct. They were careful to avoid actions that might have crossed the boundaries of a Sophos device, for example, choosing to observe the device network context only passively. McKerchar stressed that the Pacific Rim adversary was using a trial license and was not a Sophos consumer. Another example of calibration was Sophos’s decision to target only exploit and post-exploitation capability development to avoid creating a chilling effect for vulnerability researchers’ ethical discovery and reporting of vulnerabilities in Sophos’s products. This applies even in a context in which vulnerabilities discovered by Chinese researchers are legally required to be reported to the Chinese government before reporting them to the vendor, potentially creating a window for exploitation.

Another framework proposing guidance for responsible offensive cyber operations equates responsible behavior to verifiable technical steps to avoid unintended consequences. The Sophos example appears consistent with this principle of discrimination. Sophos X-Ops chose to deploy kernel implants only on devices identified based on collected telemetry, as used for exploit development or post-exploit tooling. Similarly, Sophos showed discrimination throughout the life cycle of its campaign, for example, in decisions to target only devices operating trial licenses (i.e., enabling a probable assumption that they were not being used for production workloads) and to constrain collection activities to device boundaries (e.g., avoiding network scans and limiting collection to passive observation). These are careful, scope-limiting decisions that are hallmarks of responsible operations, whether the operators work for the government or private companies.

Based on Levy’s acknowledgement of the vendor’s responsibility to invest in operationalizability, specifically rigorous testing, and staggered deployments, it is reasonable to assume that the kernel implants deployed to suspicious devices as part of Pacific Rim met the same standards of operationalizability and as such adhered to the principles of responsible operational design, engineering, and oversight. Finally, the described resort to guidance by legal counsel suggests as well that the Pacific Rim campaign aligned with those principles. The campaign also limited the use of target-facing automation—yet another example of restraint. The totality of these features observed in Pacific Rim suggests that Sophos conducted itself as a responsible actor according to this framework.

A third framework for understanding responsible cyber operations, elaborated by the International Institute for Strategic Studies’s Marcus Willett (a former senior U.K. cyber official), refers specifically to the behavior of state actors, but some operational guidance can be extracted from it for appraising Sophos’s conduct during the Pacific Rim campaign. This framework, like other proposed sets of principles, includes behaviors that are designed to prevent unintended consequences by acting in a discriminate and accountable manner in targeting and operating. The measures taken by Sophos show concern about addressing the harm that might emanate from their products to their customers and the internet ecosystem. Willett stipulates that responsible state actors in cyberspace should be mindful of the effects and side effects emanating from their own operations and territory. This is reinforced further by the patching principles discussed previously and the commitment to secure by design” principles.

Willett’s framework stipulates that a responsible state cyber actor should collaborate with others to improve collective cybersecurity. During the Pacific Rim” campaign, Sophos collaborated with various organizations, including law enforcement and national cyber defense agencies, to stop malicious activities and enable follow-on policy countermeasures, such as applying sanctions to the involved real-world entities. It also collaborated with other cybersecurity companies to assist their own investigations and alert other affected vendors (even when they were direct competitors to Sophos). Finally, Sophos’s transparency regarding its conduct—shown through its detailed reporting, deliberate use of clear terminology, and stated goal of advancing the debate on cyber norms—meets Willett’s requirement to encourage and participate in public debate about responsible operations in cyberspace.

While there is as yet no framework for responsible cyber operations intentionally elaborated for the private sector, it is clear that, according to the various models that have been articulated for states, Sophos’s campaign is strikingly consistent with a wide variety of principles for responsible cyber operations. The discussion that emerged because of Sophos’s transparent and detailed reporting helps move forward the public debate about how actors, public and private, should behave responsibly and accountably. State actors are limited in their ability to make similarly detailed and transparent disclosures about their actions because of operational secrecy and protection of their technical capabilities and other operational equities. Sophos’s account of Pacific Rim demonstrates that companies are arguably in a better position than are states to help put flesh on the bones of the existing concepts of responsible cyber operations.

Lessons for Active Defense

Pacific Rim holds lessons not only for the norms that should guide active cyber defense but also for the best practices for its effective employment by the private sector. Usually, “active cyber defense” (or “counter-cyber operations” or, more colloquially, “hacking back”) refers to executing offensive cyber operations to frustrate, remediate, or deny the effects of a threat actor’s operations, or to degrade or destroy that threat actor’s operational infrastructure, with the goal of ultimately turning the tables completely on the attackers, making them the victim and causing them to worry about protecting their own equities. The Pacific Rim disclosure adds nuance to public understanding of the operational design decisions required for counter-cyber operations and illuminates the ways in which private companies can navigate these decisions as responsible actors. It particularly demonstrates the value to private companies of adopting carefully crafted, intelligence-led, and proactive efforts to defend their products and services. 

The Pacific Rim campaign should not be considered an offensive cyber operation because, on the tactical level, the implant deployed by Sophos was used for data collection—an intelligence function—with a stated goal of minimally interfering with the threat actor’s infrastructure, contrary to the offensive goals of denial, degradation, disruption, or destruction. But Pacific Rim arguably does meet the definition of “active cyber defense.” After all, the campaign’s declared objectives included denying the threat actor the exploitation and targeting of Sophos firewall devices by raising the associated costs.

The Pacific Rim campaign was a successful counter-cyber operation because of its outcome: It denied the threat actor targeted exploits. This was achieved by proactive discovery, based on intelligence collection and timely patching of underlying vulnerabilities, and by proactively mitigating malware by blocking its command-and-control traffic before deployment. This significantly raised costs for the threat actor, with development times per exploit going from mere days during the 2020 phase of the campaign to more than a year by 2022. Over a four-year campaign, Pacific Rim reportedly denied the threat actor nine zero-day vulnerabilities, seven rootkits (five of which were novel), and a bootkit. Finally, a further example of the impact of Sophos’s campaign of increasing adversary costs and denying its capability is arguably that the threat actor decided to change its tactics, techniques, and procedures (TTPs) by moving from exploiting presumably more prized zero-day vulnerabilities for the cultivation of an operational relay box (ORB) network to instead conserving those zero-day vulnerabilities for high-value targets, and moving to exploitation of one-day vulnerabilities against end-of-life, legacy Sophos devices for the ORB network. This underlines the dynamics of competition in cyberspace, with both Sophos and threat actors having to revise and refine tactics over time.

Alongside the impact of Sophos’s decisions about how to communicate its Pacific Rim experience publicly, the campaign’s wider lesson for responsible behavior by private companies in cyberspace is that, to achieve effects against adversaries, companies must take the initiative, combining intelligence-led, proactive effort with careful calibration and precision in execution. In a sense, the Pacific Rim campaign is an example of a private company fusing two approaches that emerged from the study of state actors in cyberspace: It applies the logic of “persistent engagement” while embracing the principles of “responsible cyber power.”

Conclusion

There are three important ways in which Sophos’s disclosure of the Pacific Rim campaign advances the conversation on private-sector active cyber defense. First, it expands the scope of what should be considered “counter-cyber operations” by adding improvements to product resilience and cyber-enabled intelligence collection from adversary infrastructure in support of capability denial. Second, the thoughtful and responsible design of the campaign itself addresses a common concern about the risks of active cyber defense, namely, the need to reduce the risk of unintended side effects, such as misidentification or misattribution. Additionally, by focusing only on devices manufactured by Sophos and used to harm its customers and by collaborating closely with governmental partners, Sophos was able to avoid another common concern about active cyber defense regarding the appropriate authorization of such operations. Finally, in its granular and transparent disclosure, Sophos provided a case study that promotes better fact-based discussions and illuminates how companies can conduct such operations with a strong focus on ensuring their accountability.

The Pacific Rim campaign disclosure is significant. It positions Sophos as a norm entrepreneur promoting accountable and responsible behavior, and successfully moves forward the wider discussion about active cyber defense. Importantly, Sophos achieved these feats while improving the security of its customers and the wider internet ecosystem by actively denying capabilities and resources to threat actors. The Pacific Rim campaign raises many additional issues, such as its possible effects on the field of cyber insurance and the policy ramifications of the control exhibited by Sophos over the devices it manufactured even after they were deployed to the customer. Additional research on these themes would similarly add to the evidence base and elaboration of what accountable, responsible, active cyber defense should be.

Topics:
Cybersecurity & Tech
Back to Top
Michael Genkin

Michael Genkin

Read More
Michael Genkin is a visiting research fellow in the Department of War Studies at King’s College London. He is a seasoned cybersecurity practitioner with more than 12 years of experience in hands-on technical applications, threat intelligence analysis, and policy development. He is also a research associate of the Institute for National Security Studies and a member of the U.K. Offensive Cyber Working Group’s College of Experts. He writes here in a personal capacity.
Joe Devanny

Joe Devanny

@josephdevanny
Read More
Joe Devanny is a senior lecturer in the Department of War Studies at King’s College London. He is a 2023-2025 project fellow of the Research Institute for Sociotechnical Cyber Security. He was a 2022-2023 British Academy innovation fellow at the U.K. Foreign, Commonwealth, and Development Office. He writes here in a personal capacity.
}

Subscribe to Lawfare