Black Hat USA 2025 | China's 5+ Year Campaign to Penetrate Perimeter Network Defenses

The Black Hat talk detailed a multi-year, state-linked campaign by Chinese threat actors aimed at compromising perimeter firewalls and the networks they protect. Presenter Andrew Brandt, a principal threat researcher formerly at Sophos, walked through the evolution of the operation, which Sophos labeled “Pacific Rim” and traced back to 2018.

Research uncovered three distinct phases: an initial intrusion of Sophos’s own environment in 2018, a wave of public exploits beginning in 2020 (notably the “Aznarok” attack that leveraged a pre‑bounty SQL injection), and a later, low‑profile phase targeting specific customers with bespoke payloads. The attackers employed custom rootkits such as “Cloud Snooper,” packet‑inspection engines that read source‑port values as commands, and deployed ransomware dubbed “Ragnarok” that incorporated Chinese‑language safety checks.

Brandt highlighted vivid details: a compromised TV‑monitor device in a sales bullpen, debug messages in Chinese, a dead‑man‑switch file that triggered a secondary URL, and the use of domains like “firewallupdate.com” registered moments before exploitation. Sophos responded by publishing five technical reports, sink‑holing malicious domains, and inserting a stealth implant to monitor compromised firewalls in real time.

The campaign demonstrates that even mature firewall products remain attractive targets and that threat actors can sustain long‑term footholds through continuous vulnerability discovery and custom tooling. Enterprises must prioritize rapid hot‑fix deployment, continuous telemetry monitoring, and collaborative threat‑intel sharing to mitigate similar nation‑state‑level incursions.