This episode of Darknet Diaries recounts a multi-year cyberattack campaign by Chinese state-sponsored hackers against Sophos, a cybersecurity company. The attackers stole source code, exploited multiple zero-day vulnerabilities in Sophos firewalls, and targeted critical infrastructure, forcing Sophos to deploy secret implants for defense. It highlights the ethics of vendor transparency and the asymmetric war between a company and a nation-state.
Summarized by Podsumo
Chinese threat actors stole source code from Sophos's Cyberoam subsidiary and used it to discover multiple zero-day vulnerabilities in Sophos XG firewalls.
Sophos deployed a secret 'kernel implant' on hackers' own firewalls to spy on their activities, an ethically gray area they later publicly justified.
The attackers infected over 80,000 firewalls with malware and used fake update domains to control them, prompting Sophos to push emergency hot fixes.
Sophos identified and named seven actors, including G Big Mao (real name Guanxian Feng), who is now on the FBI's most wanted list.
The campaign escalated from mass exploitation to highly targeted attacks against governments and human rights organizations, especially in the Asia-Pacific region.
"The amount of effort involved in pivoting from this to this to this to get into this and then to build this like backdoor that allows them access, it's amazing to me."
"We had visibility that was just unreal. I remember like at one point we seen one of the actors searching for a flat. So we started to work out that he was looking for a flat. Like he was a normal dude."
"If you're a company which is making changes to the customer's products but they're not telling them and secretly adding spyware... then I think you might be evil."