Sophos Firewall Hack on Government Network Used All-New Custom Malware


  • Security researchers from the UK’s NCSC share more details about the tools used in Pacific Rim
  • Pygmy goat is a competent backdoor probably used by the Chinese
  • Even the FBI is asking for help to identify the crooks

Over the past five years, the Chinese have targeted edge devices from government agencies and departments in the US and elsewhere in the West in an operation dubbed ‘Pacific Rim’ – and we now have more details about the tools they used, and what Those tools allowed the attackers to do this.

Pacific Rim primarily targeted Sophos

In late October 2024, the UK National Cyber ​​Security Center (NCSC) published a report claiming that a new Linux malware called “Pygmy Goat” was used in these attacks. “Pygmy Goat is a native x86-32 ELF shared object discovered on Sophos XG firewall devices that provides backdoor access to the device,” the document’s summary reads.

Pygmy goat

Being an advanced network malware, Pygmy Goat was able to disguise malicious traffic as legitimate Secure Shell (SSH) connections and thus evade detection. Additionally, it enabled covert communications via encrypted Internet Control Message Protocol (ICMP) packets, adding an additional layer of obfuscation. In terms of capabilities, Pygmy Goat provided its attackers with persistent remote access and control, allowing them to stealthily manipulate infected devices and potentially compromise the broader network infrastructure.

Technical details about the code, infections and more can be found in the paper here.

While the document does not elaborate on the threat actors using Pymgy Goat, BleepingComputer recalls that its techniques, tactics and procedures (TTP) are similar to those of a piece of malware called “Castletap,” which was used by Chinese state-sponsored groups. Sophos, on the other hand, said that the same rootkit was used in 2022 by another Chinese group called “Tstark”.

Pacific Rim was a major hacking operation that even caught the attention of the FBI, who recently asked the public to help them identify the attackers.

Via BleepingComputer

You might like it too

Related Post