Sophos Firewall hack on government network used an all-new custom malware
- Security researchers from UK’s NCSC share more details about the tools used in Pacific Rim
- Pygmy Goat is a competent backdoor likely used by the Chinese
- Even the FBI is asking for help to identify the crooks
For the past five years, the Chinese have been targeting edge devices belonging to government agencies and departments in the US and elsewhere in the West in an operation dubbed “Pacific Rim” – and we now have more details about the tools they used, and what those tools allowed the attackers to do.
Pacific Rim mainly targeted Sophos XG firewalls with the goal of cyber-espionage and data exfiltration, and it was most likely conducted by multiple Chinese-speaking threat actors, including the infamous Volt Typhoon.
In late October 2024, the UK National Cyber Security Center (NCSC) published a report in which it claims that a new Linux malware named “Pygmy Goat” was used in these attacks. “Pygmy Goat is a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device,” the document’s summary reads.
Pygmy Goat
Being a sophisticated network malware, Pygmy Goat was able to disguise malicious traffic as legitimate Secure Shell (SSH) connections, and thus evade detection. Furthermore, it enabled covert communication through encrypted Internet Control Message Protocol (ICMP) packets, adding an additional obfuscation layer. As for its capabilities, Pygmy Goat provided its attackers with persistent remote access and control, allowing them to manipulate infected devices stealthily, and potentially compromise broader network infrastructure.
Technical details about the code, infections, and more, can be found in the paper here.
While the document does not discuss the threat actors using Pymgy Goat, BleepingComputer reminds that the techniques, tactics, and procedures (TTP) align with that of a piece of malware called “Castletap”, which was used by Chinese state-sponsored groups. Sophos, on the other hand, said the same rootkit was used in 2022 by another Chinese group dubbed “Tstark”.
Pacific Rim was a major hacking operation that even drew the attention of the FBI, who recently asked the public to help them identify the attackers.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
You might also like
Security researchers from UK’s NCSC share more details about the tools used in Pacific Rim Pygmy Goat is a competent backdoor likely used by the Chinese Even the FBI is asking for help to identify the crooks For the past five years, the Chinese have been targeting edge devices belonging…
Recent Posts
- Everything announced at AWS re:Invent 2024 you might have missed
- Ubisoft shooter XDefiant is shutting down and sending refunds to players
- NYT Connections today — hints and answers for Wednesday, December 4 (game #542)
- NYT Strands today — hints, answers and spangram for Wednesday, December 4 (game #276)
- Quordle today – hints and answers for Wednesday, December 4 (game #1045)
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011