This report and associated posts by Sophos collectively referred to as “Pacific Rim,” which details a multi-year campaign against Chinese nation-state actors targeting Sophos firewalls and other network devices.

The reports highlight the concept of Digital Detritus and its impact on the cybersecurity landscape. This term refers to the accumulation of outdated and unpatched hardware and software that presents a growing threat to cybersecurity.

The Problem of Digital Detritus

Digital Detritus arises from a combination of factors:

  • Infrastructure Inertia: Customers extend the lifespan of their hardware and software to maximise their investment, leading to devices remaining in operation long after they are no longer supported with security updates. This tendency is amplified by the lack of “status” associated with owning the latest network infrastructure, unlike consumer products like phones or cars.
  • Misaligned Incentives: Vendors face financial constraints in providing indefinite support for older products, leading to a gap between buyer expectations for longevity and vendor capabilities to maintain security.
  • Evolving Threats: Vulnerabilities that might have been less critical in the past become increasingly “unforgivable” as attackers discover new ways to exploit underlying flaws.

The result is an expanding attack surface for adversaries who can exploit these vulnerabilities for malicious purposes.

Case Study: Sophos’s “Pacific Rim” Campaign

Sophos’s “Pacific Rim” case study provides a real-world example of the dangers posed by Digital Detritus. The reports document a series of attacks by Chinese nation-state actors targeting Sophos firewalls, starting with an intrusion into a Cyberoam office in India in 2018. A company which Sophos purchased.

The attackers utilised various tactics, including:

  • Exploiting zero-day vulnerabilities to gain initial access to devices.
  • Deploying bespoke malware, including rootkits
  • Sabotaging telemetry systems to evade detection and hinder response efforts
  • Stealing credentials to gain access to internal networks and move laterally within target organisations

These attacks targeted a wide range of organisations, including government agencies, critical infrastructure providers, and businesses across various sectors.

Key Takeaways

Sophos’s experience highlights several important lessons for companies:

  • Network Devices are High-Value Targets: Edge network devices like firewalls are increasingly targeted by sophisticated adversaries for both initial access and persistence.
  • State-Sponsored Attacks Target All Organisations: Targeting is no longer limited to high-value espionage targets. Attackers may use compromised devices as operational relay boxes (ORBs) to obfuscate the origin of attacks, or target organisations within critical infrastructure supply chains for potential disruption.
  • Opt-Out is No Longer an Option: Vendors and their customers must work together to ensure that devices are patched promptly, secure configurations are adopted, and robust authentication measures are in place.
  • No Compromise is Unimportant: Even minor compromises can reveal larger, more sophisticated campaigns. Defenders must thoroughly investigate all incidents and pursue every lead.

Mitigating the Risks of Digital Detritus

Addressing the Digital Detritus problem requires a collaborative approach involving both vendors and customers.

Vendors should:

  • Embrace “Secure by Design” principles: Building security into products from the outset makes it easier for customers to maintain a strong security posture.
  • Provide clear end-of-life policies: Setting realistic expectations for product lifecycles and offering support for secure decommissioning or upgrading of devices is crucial.
  • Improve telemetry and analytics: This allows for better visibility into the security status of deployed devices and provides insights into potential threats.
  • Proactively engage with customers: Reaching out to customers with outdated devices and encouraging them to update or upgrade to supported versions is essential.

Customers should:

  • Prioritise patching and updates: Applying security patches and updates promptly addresses known vulnerabilities.
  • Adopt secure configurations: Minimising the attack surface by disabling unnecessary features and services, those exposed to the internet, is key.
  • Implement strong authentication: Employing robust multi-factor authentication prevents unauthorised access, for administrative accounts.
  • Engage with vendors: Stay informed about security advisories and end-of-life policies for deployed products.