A series of malicious cyber attacks has been linked to Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The attacks, known as Pacific Rim, aimed to exfiltrate sensitive data from firewalls worldwide and compromise devices in critical infrastructure, government facilities, and research organizations.
The attacks began in late 2018, when Sophos detected a cyber-attack on its Indian subsidiary Cyberoam. Since then, the malicious activity has targeted small and large critical infrastructure and government facilities, primarily in South and Southeast Asia. The attackers have used multiple zero-day vulnerabilities to compromise devices and deliver payloads both to device firmware and those located within the organization’s LAN network.
In 2021, the attackers shifted focus from widespread indiscriminate attacks to highly targeted “hands-on-keyboard” narrow-focus attacks against specific entities, including government agencies, critical infrastructure, research organizations, healthcare providers, retail, finance, military, and public-sector organizations. They also used a sophisticated backdoor called Pygmy Goat, which enables the actor to interact with it on demand while blending in with normal network traffic.
The use of Pygmy Goat was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. The deployment of Pygmy Goat has been attributed to a Chinese threat actor internally tracked by Sophos as Tstark.
Sophos has countered the campaigns by deploying bespoke kernel implants on devices owned by Chinese threat actors to carry out malicious exploit research, including machines owned by Sichuan Silence Information Technology’s Double Helix Research Institute. The company has also observed a pattern of receiving suspicious bug bounty reports at least twice from individuals with ties to Chengdu-based research institutions prior to them being used maliciously.
The findings highlight the significance of active vulnerability research and development activity in the Sichuan region, which is then passed on to various Chinese state-sponsored frontline groups. This has implications for national security, as Chinese cyber threat actors have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information.
The attacks coincide with a threat assessment from the Canadian Centre for Cyber Security that revealed at least 20 Canadian government networks have been compromised by Chinese state-sponsored hacking crews over the past four years. The attackers are also accused of targeting private sector organizations to gain a competitive advantage by collecting confidential and proprietary information, alongside supporting “transnational repression” missions.
Source: https://thehackernews.com/2024/11/fbi-seeks-public-help-to-identify.html?m=1