The FBI is asking for public help in identifying the hackers behind a years-long campaign targeting Sophos edge devices.
The campaign, brought to light last week by Sophos itself and ongoing since as early as 2018, was attributed to China-linked advanced persistent threat (APT) actors such as APT41, APT31, and Volt Typhoon.
As part of the attacks, the APTs exploited multiple zero-day vulnerabilities in internet-facing assets to gain code execution and then leveraged additional exploits to deploy malware with root privileges on the vulnerable devices.
“Beginning in early 2020 and continuing through much of 2022, the adversaries spent considerable effort and resources in multiple campaigns targeting devices with internet-facing web portals,” Sophos said.
One of the zero-days, tracked as CVE-2020-12271 and affecting Sophos’ XG Firewall, was exploited in April 2020 to deploy the Asnarök malware. Working with European law enforcement, the company took down the server hosting the malware.
Sophos says that, for over half a decade, it has been fighting a cat-and-mouse battle with the Chinese hackers, deploying a custom implant to monitor the attackers’ movements and identify their exploits and TTPs.
While Sophos did not share information on any of the organizations that might have been compromised in these attacks, the FBI says that both private companies and government entities have fallen victim to the intruders.
“As described by Sophos Ltd. in a recently released cyber security report, on April 22, 2020, an Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions,” the FBI said in a notice (PDF) on Friday.
The agency is encouraging individuals who might have information on the attackers to contact it using messaging services such as WhatsApp, Signal, and Telegram, or to contact local FBI offices, American embassies, or consulates, or submit a tip online.
The UK’s National Cyber Security Centre (NCSC) has published technical documentation on Pygmy Goat, a sophisticated backdoor that has been planted on hacked Sophos XG firewalls.
Related: Canada Says Chinese Reconnaissance Scans Targeting Government Organizations
Related: AP Sources: Chinese Hackers Targeted Phones of Trump, Vance, People Associated With Harris Campaign
Related: Chinese State Hackers Main Suspect in Recent Ivanti CSA Zero-Day Attacks
Related: Chinese Hackers Seen Targeting Ukraine Post-Invasion
