Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices

British cybersecurity firm Sophos revealed this week that it waged a five-year battle against Chinese hackers who repeatedly targeted its firewall products to breach organizations worldwide, including nuclear facilities, military sites and critical infrastructure. The company told Wired that it traced the attacks to researchers in Chengdu, China, linked to Sichuan Silence Information Technology and the University of Electronic Science and Technology.

Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.

"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."

Re:Yeah, we believe you

[i kan reed]

I do not think the CIA could make an ongoing attack believably look like it's from China if China cracked down on domestic platforms this hypothetical CIA was using.

IP Spoofing only gets you so far in terms of faking an attack's origin.

That is to say: if it was the CIA, China would still arguably be complicit by failing to act on abusive services within the country.

Our media loves kicking up a storm of, let's call them "dubious", claims about China any chance they can get but the evidence outlined in this article is hard to fake.

Re:

[nuckfuts]

It's pretty damned easy to trace where packets are coming from. And yes, a lot of malicious traffic does come from China. Anyone can fake the source address of their packets, but that only establishes one-way traffic from the faked address. (TCP/IP connections begin with a three-way handshake). One-way traffic is good enough for a DOS attack, but not very useful for interactive hacking on a device.

unsupported "end-of-life" devices?

[OffTheLip]

Seems like a firewall is not the sort of device that should just be unsupported by the manufacturer. Maybe they should build them to self destruct (auto-wipe) when no longer supported and the owner should be give a rebate for a supported product. Blame seems inappropriate here.

Re:

[XXongo]

Wow, you make planned obsolescence sound like a good thing!

Re:

[Anonymous Coward]

Planned obsolescence for your washing machine is dumb. Planned obsolescence for an enterprise network edge device is not dumb. Don't be afraid of a little nuance.

Re:

[Geoffrey.landis]

Planned obsolescence for your washing machine is dumb. Planned obsolescence for an enterprise network edge device is not dumb. Don't be afraid of a little nuance.

And deliberate obsolescence is absolutely brilliant for profit margin!

Re:

[smooth wombat]

Because who doesn't want their firewall to suddenly go down in the middle of the night because it's reached EOL. What a fantastic concept.

Re:

[OffTheLip]

I was assuming the owner of the product would have been sufficiently warned in advance their device was going off-line. Maybe the manufacturer could use the Microsoft EOL nagging method as a model. A firewall that is not supported and known to be vulnerable is not the answer and going down in the middle of the night would secure the network better than the vulnerable device.

Re:

[ceoyoyo]

You're running a nuclear fuel factory or something and you have the choice between an unpatchable firewall with known vulnerabilities or no Internet connection. Hm....

Of course, there's a third option. Don't buy expensive "appliances" from companies that don't support them.

Re:

[ctilsie242]

I'd say it depends on what is agreed on beforehand. Both states suck, either a firewall running unpatched, or a firewall rendered inoperative because of that.

The solution, after the firewall goes EOL, open source everything. This way, at least either the client, or someone can maintain the older devices so they have some semblance of use.

However, in some cases security is critical over functionality, but, IMHO, part of the agreement might be having the service and update plan also covers replacement equip

State of neglect

[Nicholas Schumacher]

Kind of ironic that Sophos talks about devices in a state of neglect, when their firewall product is still running on a 4.14 linux kernel.

Re:

[zlives]

not trying to defend sophos, but if it is custom os with all mitigations in place...

Re:

[SwashbucklingCowboy]

Doesn't matter how old the software is, matters how maintained it is. It they properly maintain it then it's fine. If not, then it's not fine.

Interesting quote

[joe_frisch]

From the article, " The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls."

Doesn't the company's ability to do that represent a security hole? It means that their devices must include the capability for remote access that is invisible to the end user.

Re:

[TheNameOfNick]

"Updates". If that capability surprises you, you must have found a very nice rock to live under.

Re:

[joe_frisch]

I understand that its difficult or impossible to design in a way to prevent that, but a vendor actually using that capability to spy on the actions of a customer is extremely concerning, no matter how "valid" their reasons were.

It seems like a good motivation for using only open-source firmware that is compiled locally.

Re:Interesting quote

[Fly Swatter]

Any firmware update is a potential security hole, so in that sense yes. Presumably the hackers would be wanting to run the latest firmware on their test hardware to test their exploit code against the latest, so they would leave auto updates on... then the update servers can just send different firmware to known suspect ip address ranges.

The Fiendish Plot of Dr. Fu Manchu

[Mirnotoriety]

What does a firewall do?

Why do we need one?

“Inside the counter-offensive tactics, techniques, and procedures used to neutralize China-based threats”
--

Insert anti-commie cyber BS /s

Certain?

[barcarolle]

Are they certain it's coming from China? History has shown this crap can be misdirected.