Hunter vs spy: How Sophos uncovered Chinese assault
‘Edge devices have become highly attractive targets for Chinese nation-state groups.’
‘Edge devices have become highly attractive targets for Chinese nation-state groups.’

As DigiPlus Interactive Corp. scales up its international expansion, the company has joined the Brazilian Institute of…

Finance Secretary Frederick Go announced that MySSS Card holders can avail of a two-week PISO Fare promotion as the…

The Philippine Stock Exchange Index (PSEi) fell 9.70 points, or 0.15 percent, to 6,256.02 on Tuesday, while the peso…

President Ferdinand Marcos Jr. extolled the MVP Group for investing in its Meralco Terra Solar Project in Nueva Ecija,…

Four years after ending nickel mining operations, Berong Nickel Corporation (BNC) is investing heavily in restoring its…

Recent advisories from United States Cybersecurity and Infrastructure Security Agency have made it clear that Chinese nation-state groups have become a perennial threat to nations’ critical digital infrastructure.
Photograph courtesy of Sophos
What's your take?
Google Preferred Sources
Get more Daily Tribune stories in your search results
Add Daily Tribune as a preferred source on Google Search.
In a revelation of modern cyber warfare, Sophos, a cybersecurity firm, has unveiled its “Pacific Rim” report that points to China as a usual source of cyberattack in the region.
The five-year investigation chronicles an intense digital chess match with multiple interlinked nation-state adversaries based in China, targeting critical infrastructure and government entities across South and Southeast Asia.
From nuclear energy suppliers to national capitals, the report exposes a sprawling campaign marked by stealth, persistence, and sophisticated tactics.
Digital battlefield unveiled
“After we successfully responded to the initial attacks, the adversaries escalated their efforts and brought in more experienced operators. We uncovered a vast adversarial ecosystem,” said Sophos, summarizing a relentless saga of intrusion and counter-defense.
The attackers utilized novel exploits, customized malware, and overlapping tactics with notorious groups like Volt Typhoon, APT31 and APT41. Their targets included military hospitals, airports, state security apparatus, and central government ministries — revealing a chilling focus on undermining societal pillars.
Cybersecurity playbook
Leading the charge was Sophos X-Ops, the company’s cybersecurity and threat intelligence unit. Armed with advanced detection and response techniques, X-Ops neutralized attacks while simultaneously gathering vital threat intelligence to preempt future operations.
“Edge devices have become highly attractive targets for Chinese nation-state groups. These devices — powerful, always on, and constantly connected — are exploited as operational relay boxes (ORBs) to obscure and support their activities,” Ross McKerchar, Sophos’ chief information security officer, said. “Even organizations that are not direct targets can become collateral damage.”
Sophos implemented hotfixes for its Firewall products, ensuring customers received rapid protection from emerging threats. The company also urged organizations to urgently patch internet-facing devices and replace unsupported models vulnerable to zero-day exploits.
A timeline of key discoveries
1) Cloud Snooper (2018): At Sophos’ India headquarters, a low-privileged computer connected to an overhead display began scanning the network. Investigators found a backdoor and complex rootkit, later dubbed “Cloud Snooper;”
2) Asnarök (2020): A malicious user interface mimicking Sophos surfaced, leading to a European law enforcement operation. Sophos neutralized the campaign, attributed to Chinese actors, by taking over its command-and-control infrastructure;
3) Advanced Tracking (Post-Asnarök): Sophos enhanced its capabilities with a new threat actor tracking program combining open-source intelligence, telemetry, and targeted kernel implants. This proactive approach preempted several attacks and unveiled tools like a UEFI bootkit and custom exploits; and
4) CVE-2022-1040 (2022): A zero-day vulnerability reported via Sophos’ bug bounty program was already being exploited in the wild. Sophos’ investigation connected the tip to adversaries, thwarting their operations and protecting customers.
Global collaboration needed
The report highlights the importance of cooperation between private companies, governments, and law enforcement. Sophos worked closely with organizations like the Cybersecurity and Infrastructure Security Agency (CISA) and NCSC-NL to share intelligence and disrupt adversarial operations.
Jeff Greene, executive assistant director for Cybersecurity at CISA, praised the effort: “Sophos’ Pacific Rim report provides invaluable insights into the evolving tactics of Chinese nation-state actors. Collaborative efforts like this are essential to defending global critical infrastructure.”
Sophos emphasizes the need for vigilance and proactive defense:
1) Minimize internet-facing devices and services;
2) Prioritize patching for vulnerabilities in edge devices;
3) Enable automatic updates for hotfixes;
4) Collaborate with public-private partnerships to share intelligence; and
5) Plan for end-of-life device replacement to avoid creating attack vectors.
McKerchar concluded, “We must work across sectors to strengthen defenses and eliminate weaknesses. Edge devices are top targets, and attackers are actively hunting for vulnerabilities. The time to act is now.”
Sobering warning
The “Pacific Rim” report is a clarion call for global cyber resilience. It highlights the evolving threat landscape and underscores the need for collaboration, vigilance, and relentless innovation in the face of determined adversaries. For organizations worldwide, the lesson is clear: in the shadowy world of cyber espionage, the best defense is a proactive and united offense.