AI Summary
5 min readIn 2018, hackers breached Sophos subsidiary CyberRoam through an overlooked Linux NUC powering a sales office TV leaderboard. They pivoted laterally to a source code repository, exfiltrating firewall code whose purpose remained unclear. Two years later, Sophos researchers linked this to a massive exploitation of their XG firewalls, revealing a multi-year campaign by Chinese actors using stolen code to hunt zero-days.
Early Breach and Source Code Theft
Andrew Brand, then at Sophos, analyzed the 2018 CyberRoam intrusion after an analyst flagged it. Attackers entered via the wall-mounted NUC, exploited AWS identity handling, and reached the Git repository for firewall source code. Logs showed multiple actors collaborating clumsily—one mistyping an SSH key password—indicating a coordinated team with novel techniques unknown publicly.
Sophos assumed code theft for IP replication or sale but lacked full visibility due to sparse monitoring. Brand published a redacted blog post highlighting the pivot's ingenuity without naming the victim. Craig Jones, then Sophos security director, led cleanup, noting the attackers' multi-vector entry and lateral movement as exceptionally crafty.
Ragnarok: Mass Exploitation of 80,000 Firewalls
Continue reading the full summary in the app — free to try.
Read Full Summary →Free • No credit card required
What you'll learn
- 1 (00:02) **2018 CyberRoam Breach Origin** - Attack starts via infected TV leaderboard NUC in sales office, pivots to source code repo
- 2 (02:16) **Source Code Theft Motive Unknown** - Hackers access CyberRoam source code repository, intent unclear
- 3 (05:03) **2020 XG Firewall SQLi Discovery** - Customer reports anomalous URL in firewall UI; external bug bounty coincides
- 4 (11:51) **Mass Exploitation Scale Revealed** - 80,000 Sophos XG firewalls compromised via SQLi
- 5 (13:30) **Hotfix Deployment Decision** - Sophos pushes unprecedented remote hotfix to all affected firewalls
- 6 (17:59) **Linking to CyberRoam Attack** - 2020 vuln traces to CyberRoam code migrated to XG firewall
- 7 (25:11) **Actor Identification via Telemetry** - G Big Mao linked to exploits via trial licenses, IP, email
+ Full timestamped outline available in the app
Show Notes
For six years, Sophos fought a secret cyber war against a state-backed hacking group targeting its firewalls. This forced Sophos to drastically change tactics to properly secure their firewalls.
Was it ethical? Was it effective? They disrupted nine zero-day attacks, exposed who was hacking them, and forced the hackers to change tactics. But at what cost?
You have to listen to one of the most audacious corporate cyber defenses ever conducted.
Sponsors
Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
This show is sponsored by Meter, the company building networks from the ground up. Meter delivers a complete networking stack - wired, wireless, and cellular - in one solution that’s built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments, and runs support. Learn more at meter.com.
Support for this show comes from Drata. Drata is the trust management platform that uses AI-driven automation to modernize governance, risk, and compliance, helping thousands of businesses stay audit-ready and scale securely. Learn more at drata.com/darknetdiaries.
Sources
More from this podcast
Darknet Diaries →