Sophos Firewall hack on government network used an all-new custom malware

Pygmy Goat is among tools used to breach Sophos edge devices

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

For the past five years, the Chinese have been targeting edge devices belonging to government agencies and departments in the US and elsewhere in the West in anoperation dubbed “Pacific Rim”- and we now have more details about the tools they used, and what those tools allowed the attackers to do.

Pacific Rim mainly targeted Sophos XG firewalls with the goal of cyber-espionage and data exfiltration, and it was most likely conducted by multiple Chinese-speaking threat actors, including the infamous Volt Typhoon.

In late October 2024, the UK National Cyber Security Center (NCSC) published a report in which it claims that a new Linuxmalwarenamed “Pygmy Goat” was used in these attacks until May 2022, when it was last observed. “Pygmy Goat is a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device,” the document’s summary reads.

Pygmy Goat

Being a sophisticated network malware, Pygmy Goat was able to disguise malicious traffic as legitimate Secure Shell (SSH) connections, and thus evade detection. Furthermore, it enabled covert communication through encrypted Internet Control Message Protocol (ICMP) packets, adding an additional obfuscation layer. As for its capabilities, Pygmy Goat provided its attackers with persistent remote access and control, allowing them to manipulate infected devices stealthily, and potentially compromise broader network infrastructure.

Technical details about the code, infections, and more, can be found in the paperhere.

While the document does not discuss the threat actors using Pymgy Goat, BleepingComputer reminds that the techniques, tactics, and procedures (TTP) align with that of a piece of malware called “Castletap”, which was used by Chinese state-sponsored groups. Sophos, on the other hand, said the same rootkit was used in 2022 by another Chinese group dubbed “Tstark”.

Pacific Rim was a major hacking operation that even drew the attention of the FBI, who recently asked the public to help them identify the attackers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time