174: Pacific Rim

Summary of 174: Pacific Rim

by Jack Rhysider

1h 30mMay 5, 2026
Listen to Episode

Overview of Darknet Diaries: Pacific Rim

This episode tells the story of how Sophos uncovered a long-running, highly sophisticated cyber campaign against its firewalls—one that began with the theft of source code from Cyberoam, then evolved into multiple zero-day attacks, malicious update infrastructure, and even a controversial defensive implant Sophos deployed to spy on the attackers. The campaign, later nicknamed Pacific Rim, appears to have been carried out by a Chinese state-aligned threat actor and targeted both Sophos and its customers across the Asia-Pacific region and beyond.

The Core Story

How it started

  • In 2018, attackers breached Sophos-owned Cyberoam infrastructure and reached the source code repository.
  • That source code later helped them discover and exploit weaknesses in the new Sophos XG Firewall.
  • The first major wave of exploitation was later called Asnarok.

What the attackers did

  • They compromised a tiny Linux device connected to a sales office TV leaderboard, then pivoted deeper into the network.
  • They stole or accessed firewall source code, studied it, and used that knowledge to build exploits.
  • They deployed malicious update domains such as:
    • sophosfirewallupdate.com
    • sophosproductupdate.com
  • Those domains made infected firewalls fetch attacker-controlled code instead of legitimate updates.

The scale of the attack

  • Sophos discovered that roughly tens of thousands of firewalls were affected, with reports citing around 80,000.
  • The attackers were not just exploiting devices at random; they were using the firewalls to harvest:
    • configuration data
    • passwords
    • network details
    • telemetry from specific targets

Sophos’ Response

Emergency hotfixes

  • Sophos pushed out remote hotfixes to customers’ firewalls.
  • This was unusual and controversial because it meant Sophos modified customer devices without waiting for manual patching.
  • The company decided the risk of doing nothing was greater than the risk of remotely changing customer firewalls.

Heavy incident response

  • Sophos assembled a large internal response effort, including:
    • security researchers
    • reverse engineers
    • incident responders
    • legal and leadership involvement
  • They increased monitoring and logging to understand what the attackers had done and what they were still doing.

Domain seizure and sinkholing

  • Sophos worked through legal channels to seize malicious domains.
  • They also coordinated with Dutch authorities to seize the attacker’s C2 infrastructure in the Netherlands.
  • Traffic was redirected to sinkholes so Sophos could study infected systems and attacker behavior.

The “Implant” and the Ethical Debate

Why Sophos built it

  • Sophos needed more visibility into compromised firewalls used by the attackers.
  • They built a kernel implant that could be delivered through normal updates to selected systems.
  • The implant let them collect deeper telemetry, including:
    • files being written
    • logs
    • process activity
    • MAC addresses of nearby systems
    • evidence of malware being staged on attacker-controlled lab devices

Why it was controversial

  • The discussion in the episode centers on whether this is defensive security or spyware.
  • Sophos’ position was:
    • it was only deployed to systems they were confident were attacker-owned or attacker-operated
    • it was used to protect victims and understand the threat
    • it was covered under their licensing and security response framework
  • The episode leaves room for the ethical gray area, but emphasizes the attackers were already doing far worse.

Round Two and Beyond

The campaign escalates

  • After Sophos patched the first wave, the attackers adapted within weeks.
  • New attacks followed, including the Baja campaign, which became part of the broader Pacific Rim label.
  • The attackers used:
    • web shells
    • local privilege escalation
    • rootkits
    • stealth mechanisms to disable hotfixes and telemetry
    • attempts at UEFI bootkits, which would have made the malware nearly impossible to remove

More targeted operations

  • Over time, the attacks became more selective and politically sensitive.
  • Targets included:
    • government agencies
    • healthcare providers
    • critical infrastructure
    • research and development organizations
    • groups tied to Uyghur and Tibetan communities
  • This strongly suggested a state-backed intelligence operation rather than ordinary cybercrime.

Attribution and Named Actors

Key names and identities

  • Two recurring handles stood out in Sophos telemetry:
    • GBigMao
    • T.Stark
  • Sophos used internal telemetry and OSINT to trace these to real-world researchers and threat actors.
  • One major figure was later identified as Guan Tianfeng, who appears on the FBI Cyber Most Wanted list.

Likely attribution

  • The episode makes clear that Sophos and partner organizations came to believe the operation was linked to Chinese state interests, likely involving APT31 or closely related actors.
  • French authorities also publicly tied related activity to APT31.

Main Takeaways

1. Source code theft can have years-long consequences

  • Stealing source code from one product can expose the next product generation to exploitation.

2. Firewalls are high-value targets

  • A compromised firewall can become a perfect place to:
    • spy
    • persist
    • bypass network defenses
    • deliver ransomware or internal network access

3. Telemetry matters

  • Sophos’ ability to collect and analyze telemetry was crucial.
  • Without it, they likely would not have understood the scale or mechanics of the attacks.

4. Security vendors are now part of the battlefield

  • The story shows that security companies themselves are increasingly targeted by advanced actors.
  • Sophos’ transparency was presented as unusually honest and valuable.

5. Patch management is hard at scale

  • The episode highlights a tension between:
    • customer control over devices
    • vendor responsibility to protect them when the risk is urgent

Notable Insights

  • The attackers repeatedly studied Sophos’ own knowledge base articles to learn what was patched.
  • Sophos had to become more careful about what they published publicly because the attackers were reading it.
  • The campaign demonstrated a level of patience, resources, and sophistication consistent with a nation-state operation.
  • The war never truly ended; the episode simply stops at a logical checkpoint, with attacks continuing afterward.

Final Impression

Pacific Rim is a story about a cybersecurity vendor forced into an extraordinary defense posture against a persistent, well-resourced adversary. It’s part incident response, part intelligence operation, and part ethics debate. The big message: when a firewall vendor becomes the target, the consequences can ripple across entire customer networks and years of product development.