Five Years of Attacks: Sophos X-Ops Exposes Chinese Cyber Groups’ Tactics
Sophos X-Ops has concluded an extensive investigation into the attacks orchestrated by Chinese cyber groups, who for the past five years have persistently targeted network devices worldwide. The primary focus of the attackers has been firewalls and remote access systems. Sophos analyzed the methods used for these breaches and has issued security recommendations and updates.
The series of attacks began in December 2018, when attackers gained access to a device within the Indian branch of Cyberoam. Exploiting weak security configurations, the hackers initiated network scanning and identified a means of intrusion. Later, in 2020, the Asnarök vulnerability (CVE-2020-12271, CVSS score: 10.0) was discovered, allowing attackers to obtain root access to devices and install a Trojan capable of covertly controlling the system while bypassing standard defenses.
In response to the threat, Sophos released updates and integrated telemetry sensors into devices, enabling better monitoring of hacker activity. In April 2020, Sophos also detected a new wave of attacks through another vulnerability—CVE-2020-15069 (CVSS score: 9.8) in the Sophos XG Firewall. Attackers exploited this flaw to deploy malware on devices with a WAN interface, granting them undetected access.
Since 2021, Chinese hackers have been selecting specific targets, focusing their attacks on government institutions and critical infrastructure in the Asia-Pacific region. In March 2022, Sophos identified a new vulnerability in Sophos Firewall—CVE-2022-1040 (CVSS score: 9.8), which allowed attackers to bypass security measures and gain full access to devices. This flaw was used to install a specialized rootkit, capable of covertly intercepting commands and enabling remote control.
In 2022, Sophos encountered a new approach—attacks became increasingly stealthy, using proxy chains to obscure the origin of the threats. The latest attacks, termed Covert Channels, enabled hackers to steal credentials and execute scripts that disrupt network functionality.
Sophos collaborated with international organizations and national cybersecurity centers to counter these threats. The company released updates to protect devices and shared indicators of compromise (IoCs) to help organizations proactively secure their networks against such attacks.