FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions
The FBI is asking the public for help in tracking down the people behind a series of intrusions involving the compromise of edge devices and networks used in the public and private sector.
A notice released Friday by the agency cites a recent series of reports from security firm Sophos, first covered by WIRED, that detail the company’s five-year stand-off with Chengdu-based cybersecurity researchers at Sichuan Silence Information Technology and the University of Electronic Science and Technology of China.
The China-based experts spent years researching vulnerabilities in Sophos products and handing some of them off to the Chinese government, which subsequently used the bugs in espionage operations launched by prolific hacking groups like APT41, APT31, and Volt Typhoon.
Sophos said that one vulnerability the researchers discovered — CVE-2020-12271 — affects the company’s XG Firewall product and was used in April 2020 by Chinese hackers to install the Asnarök malware. Sophos worked with European law enforcement in 2020 to track down and confiscate the server used to deploy the malware.
While the Sophos report does not reveal which organizations were impacted by CVE-2020-12271, the FBI said law enforcement agencies are looking for the hackers that used the bug and “allegedly created and deployed malware… as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide.”
“The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions,” the notice says.
In the lengthy reports, Sophos outline a series of years-long surveillance, sabotage and cyberespionage campaigns targeting both small and large “critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries.”
WIRED noted that a small number of victim organizations were based in Europe and the United States.
The incidents add fodder to government and expert concerns about China’s widespread infiltration of popular edge devices like routers, firewalls and VPN services.
For more than two years, teams across the U.S. government have sought to root out compromises of devices designed by Volt Typhoon actors to have destructive consequences in the event of a military conflict.
“The reality is that edge devices have become highly attractive targets for Chinese nation-state groups like Volt Typhoon and others as they look to build operational relay boxes (ORBs) to obfuscate and support their activity,” said Ross McKerchar, CISO at Sophos.
“This includes directly targeting an organization for espionage, or indirectly leveraging any weak points for onward attacks — essentially becoming collateral damage. Even organizations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes — they are powerful, always on, and have constant connectivity.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.