Site icon c9Journal

FBI Calls for Public Assistance in Tracing Chinese Hackers

FBI Calls for Public Assistance in Tracing Chinese Hackers

An Urgent Global Alert by the FBI

The U.S. Federal Bureau of Investigation (FBI) has issued a worldwide call for information to identify individuals behind a series of sophisticated cyber intrusions that have breached edge devices and computer networks across various sectors, including corporate and government entities.

This follows an expansive investigation into Advanced Persistent Threat (APT) activities attributed to Chinese state-sponsored hacking groups such as APT31, APT41, and Volt Typhoon. The FBI highlighted that these actors deployed malware exploiting known vulnerabilities like CVE-2020-12271 in firewall technologies to exfiltrate sensitive data.

This call for public cooperation comes amid revelations from cybersecurity firms, notably Sophos, which detailed persistent attacks stretching from 2018 to 2023. These campaigns, dubbed Pacific Rim, involved exploiting security loopholes in Sophos firewall systems. Attackers leveraged both zero-day and publicly known vulnerabilities to infiltrate critical infrastructure networks in regions such as South and Southeast Asia.

A Pattern of Persistent and Sophisticated Breaches

Investigations revealed that attackers targeted a diverse array of organizations, ranging from military hospitals and nuclear energy providers to airports and state ministries. In many cases, initial access was gained by exploiting vulnerabilities such as CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236. These breaches allowed attackers to install malware and maintain long-term access for surveillance, espionage, and potential sabotage.

From 2021 onwards, the tactics evolved, transitioning from widespread attacks to precise, hands-on operations that manually engaged with compromised networks. These highly targeted operations focused on sectors critical to national security, such as governmental agencies, healthcare providers, financial institutions, and research bodies.

One particularly concerning tool used in these breaches was a rootkit known as Pygmy Goat. This malware, disguised as a shared object (libsophos.so), provided the attackers with stealthy, persistent backdoor access to compromised Sophos XG Firewalls.

Sophos identified that Pygmy Goat’s capabilities included responding to custom ICMP packet signals, enabling the malware to establish a SOCKS proxy or create reverse shell connections at the attackers’ discretion. The structured and clean code of the malware suggests the work of experienced developers. Analysis pointed to a group internally referred to as Tstark, believed to be associated with the University of Electronic Science and Technology of China (UESTC) in Chengdu. This institution is known for its strong affiliations with the state and involvement in cybersecurity research.

Further probing revealed that some malware deployments coincided with reports of “suspicious yet valuable” bug bounty submissions from Chengdu-linked entities before being exploited in real-world attacks. This highlighted a strategic move where research findings on vulnerabilities were passed from academic circles to state-sponsored hacking teams, reinforcing a state-mandated system for vulnerability disclosure and exploitation.

Implications for Global Cybersecurity

The scale of these cyber intrusions aligns with broader assessments by global security agencies. The Canadian Centre for Cyber Security reported that over the past four years, at least 20 government networks had been compromised by Chinese actors to support Beijing’s strategic objectives. This includes the collection of sensitive communications and proprietary corporate data to bolster China’s economic and diplomatic leverage. There are also allegations of using such intrusions for transnational repression, particularly targeting minority groups and political activists.

This latest wave of targeted cyber operations underscores an alarming trend where state-affiliated cyber units collaborate with research institutions to craft sophisticated cyber tools. The increasing reliance on edge devices as entry points stresses the need for robust cybersecurity measures to defend against evolving tactics. The FBI’s call for public assistance underscores the severity and complexity of countering these persistent cyber threats, marking a significant moment for international cooperation in cybersecurity defense.


The described events serve as a stark reminder of the ongoing cyber arms race where nation-states seek to leverage digital intrusions to achieve strategic gains. Organizations worldwide are urged to review their cybersecurity postures, especially those using vulnerable devices like the Sophos XG Firewalls, and adopt best practices to fortify their defenses against these persistent and sophisticated cyber adversaries.



Exit mobile version