Sophos’ Pacific Rim Investigation: Three Major Takeaways

As we close out the year, we are reflecting on some of our significant moments impacting the industry in 2024. One includes unveiling the details into a defensive and counter-offensive investigation of nation-state adversaries based in China on Oct. 31. The investigation, which Sophos named “Pacific Rim,” spanned five years and involved persistent attacks on Sophos devices.?

Then, on Dec. 10, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), sanctioned the Chinese cybersecurity company Sichuan Silence Information Technology Company, which Sophos has linked to much of the exploit research and development in Pacific Rim. In addition, the Department of Justice unsealed an indictment against Guan Tianfeng, a man the indictment linked to pieces of the malicious activity in the Pacific Rim investigation. “If Sophos had not rapidly identified the vulnerability and deployed a comprehensive response, the damage could have been far more severe. Sophos’s efforts combined with the dedication and expertise of our cyber squad formed a powerful partnership resulting in the mitigation of this threat" said Special Agent in Charge Herbert J. Stapleton of the FBI Indianapolis Field Office?

In light of continued attacks by Chinese nation-state groups like Volt Typhoon, which has continued to target U.S. infrastructure, here are three major takeaways from our five-year investigation.??

Transparency, transparency, transparency??

Sophos has long believed in the importance of transparency because, without it, it’s infinitely harder to build trust with customers. And part of being transparent is being honest about ?vulnerabilities and how they impact customers. Throughout the past five years, we shared information about individual attacks. However, we felt it was important to tell the full story, not just in the interest of transparency for our customers but in the interest of sharing our knowledge about how these adversaries in China are operating.?

Unfortunately, state-sponsored groups in China continue to run a highly resourced, persistent effort to compromise any and all edge devices to infiltrate critical infrastructure and conduct cyberespionage campaigns. To help disrupt these attackers, security vendors need to be transparent with customers—and with each other. We need to pool and share our knowledge and experiences. We hope Sophos’ Pacific Rim initiative inspires other security vendors to similarly prioritize transparency. ?

Digital detritus is a real problem we need to start talking about?

Digital Detritus refers to the growing accumulation of outdated devices, unpatched software, and discarded data that result from our increasingly digital lives. It is, in many ways, the cyber world's parallel to the Great Pacific Garbage Patch—an expansive but often unseen mass of obsolete technology and vulnerabilities, quietly deteriorating over time.?

Sophos CEO Joe Levy recently weighed in on this phenomenon, offering his perspective on the ongoing investigation into digital waste and outlining the critical responsibilities of cybersecurity vendors. He emphasized the need for greater transparency in the industry and stressed that leading by example is essential to addressing this issue.? ? “It is no exaggeration to say that improvement is a matter of great importance to our economy, our national security, and the welfare of citizens worldwide” Sophos CEO, Joe Levy.?

Not only are edge devices increasingly under attack by China-based adversaries, but the proliferation of end-of-life edge devices are leaving companies wide open for attack. The next step in securing organizations for adversaries involves creating plans for retiring EOL devices.?

Re-defining the targets of nation-states?

Different countries have different definitions of critical infrastructure, and the prevailing intuition is that organizations that fall under the umbrella of critical infrastructure tend to be larger organizations or enterprises. In addition, nation-states have traditionally prioritized larger organizations for their attacks. However, we may need to rethink this.?

As we saw in the first phase of Pacific Rim, when building operational relay boxes (ORBs), any and all companies with vulnerable edge devices can be a target—no matter their size. And, while some of these companies may not be water treatment facilities or power plants, they may still provide crucial services or components to what we traditionally think of as critical infrastructure. Many small and medium sized businesses (SMBs) are either part of, or “suppliers” to the nation’s critical infrastructure.?

The tactics, techniques and procedures (TTPs) of China-based state-sponsored groups have widened the victim pool, and we need to find ways to support smaller companies in staying secure against these persistent threat actors.?

**?

The threat from state-sponsored groups will continue in 2025, and Sophos hopes to continue building on the lessons learned from Pacific Rim to support our customers and the security industry at large by defending against these attackers.?

Said Ross McKerchar, CISO: “The scale and persistence of Chinese nation-state adversaries poses a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses as noted in Sophos’ Pacific Rim investigation report. Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement. We can’t expect these groups to slow down, if we don’t put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software.”?

Watch Inside Pacific Rim with Sophos on YouTube: https://www.youtube.com/playlist?list=PLKnm0NFN_gbnb0hNNadPKwFQV75MSnngY