In this episode of The Security Ledger Podcast (#259) Paul speaks with Ross McKerchar, the CISO of Sophos, about the the company’s recent, headline grabbing report on a six year, state sponsored hacking campaign it dubbed Pacific Rim. Ross talks about the company’s dawning awareness of the extent and sophistication of the operation and its use of a targeted software implant to monitor the workings of the state-sponsored group and stay a step ahead of the hackers efforts to breach Sophos and its customers.









Watch Video







Download the MP3







Read the Transcript

















After so many decades writing about hair raising cyber attacks, it is easy to get jaded -and hard to be impressed. And then something like the Pacific Rim report comes along. Released last month by the UK-based cybersecurity firm Sophos, Pacific Rim is an eye-raising account of a years-long battle with persistent and sophisticated hackers based in China who were determined to compromise Sophos and use their access to target the company’s customers.







Ross Mckerchar is the CISO at Sophos.





A six year stealth campaign







The Sophos Pacific Rim report paints a detailed picture of a relentless nation-state level cyber assault that was years in the making. The attack, emanating from a well-resourced group of PRC-based actors, wasn’t a conventional one-off breach but rather a protracted, six-year campaign involving a wide range of entities and software assets across regions, beginning in India with the compromise of a wall-mounted display at Cyberoam, a company Sophos had acquired. From there, the attackers used “live off the land” techniques to infiltrate other systems, exploiting vulnerabilities to gain unauthorized access to sensitive areas, all the while showcasing advanced techniques that far exceeded the kind of low-skill script kiddie or hacker tactics, and elevated concerns about the breadth of their capabilities.







ORBs and AWS: China’s sophisticated hacking techniques







In this podcast, I sat down with Ross McKerchar to dig into the Pacific Rim incident. Ross and I talk about his company’s quick realization that what appeared to be a run-of-the-mill intrusion onto Cyberoam’s network was much more: one branch of a global campaign by Chinese-backed hacking groups to gain access to a wide range of sensitive targets, from tech firms to critical infrastructure providers to government agencies and embassies.







Ross and I discuss the evolution of attack methodologies by China-based threat groups, as well as the many characteristics that made the Pacific Rim stand out, such as the attackers’ utilization of cutting edge cloud-based management tools like AWS SSM to elevate their intrusion capabilities and “ORBs” (operational relay boxes) -a kind of purpose built botnet of compromised devices that hacking groups use as a foundation for further attacks.







A timeline of the Pacific Rim campaign. (Image courtesy of Sophos.)