A call for more transparency of Security Vendors
Somewhere in a Sophos SOC, it started as a blip – an odd pattern of exploits against perimeter firewalls, just suspicious enough that an analyst refused to write it off as background noise. The targets weren't random: high‑value organizations, often in government, critical infrastructure, and R&D, mostly across the Indo‑Pacific – the kind of environments where "weird" should never be ignored. This article is triggered by an episode of Darknet Diaries, one of our favorite podcasts. Listen to it, learn and let it open your eyes.
As the telemetry accumulated, a picture emerged of China‑based state-backed groups quietly turning Sophos firewalls into a long-term staging ground. They mixed exploits for known CVEs with bespoke tooling, moving away from "spray-and-pray" scanning toward surgical, hand‑crafted intrusions that blended into legitimate admin activity. Over time their TTPs evolved: living‑off‑the‑land, carefully timed changes, and a deep understanding of the device firmware that suggested extensive reverse engineering and test labs of their own.
Sophos researchers watched the adversary become more adept at disappearing inside the very telemetry the defenders relied on. At one point, the attackers identified and blocked telemetry channels on their own test devices after Sophos used those channels to study exploit development in real time, forcing the defenders to rethink how they collected and protected their own visibility. The groups deployed a custom userland rootkit, designed not just to hide but to persist across reboots and investigations, with design choices suggesting it could be ported across multiple vendors' gear. Sophos also uncovered an experimental UEFI bootkit – an early sign that this adversary was preparing to persist below the operating system itself.
This wasn't a smash‑and‑grab ransomware crew; it was a patient, well‑resourced state actor willing to spend years inside edge infrastructure to quietly shape and surveil other people's networks. Sophos tracked overlapping activity they ultimately mapped to known Chinese nexus clusters like Volt Typhoon, APT31, and APT41/Winnti – groups with different missions but access to shared exploit chains and tooling. The campaigns shifted over time from broader targeting to tightly scoped operations against specific entities that mattered to Chinese strategic interests.
From the outside, there was silence. Customers saw advisories, patches, routine vendor messaging – but not the full story of the cat‑and‑mouse game unfolding around their firewalls. Inside Sophos, teams collected telemetry, correlated incidents, and worked with other vendors, governments, and law‑enforcement agencies to validate attribution and understand how widely these techniques were being used beyond their own install base. The defenders knew that what they were seeing "on Sophos boxes" was almost certainly happening on other vendors' gear as well; the rootkit and tradecraft were clearly designed for multi‑vendor applicability.
After more than five years, Sophos made an unusual decision: instead of keeping the deepest lessons confined to NDA briefings and private ISAC calls, they went public with "Pacific Rim," a detailed account of the TTPs used, the evolution of the campaigns, and how Sophos had responded at every stage. In parallel, they framed it explicitly as a transparency choice, arguing that understanding how nation‑state groups abuse edge devices is a collective defense problem, not a brand‑protection issue.
Years in the dark with a nation‑state adversary
What makes this story uncomfortable is not the fact that a security vendor was targeted by a nation‑state – that's been true for years – but how rarely we get this level of narrative, technical, and organizational transparency when it happens. Sophos' own survey work shows why that matters: only about 5% of IT leaders say they fully trust their cybersecurity vendors, and roughly four out of five organizations find it hard to assess how trustworthy new providers really are. Those same stakeholders rank "verifiable artifacts" (trust centers, advisories, third‑party assessments) and "transparency and timely communications during incidents" as the top drivers of trust – not marketing, not Gartner quadrants.
In Pacific Rim, Sophos essentially "open-sourced" a five‑year autopsy of its own perimeter battles: the timeline, the exploits, the rootkit's design, the shift from noisy exploitation to stealthy persistence, and even the attackers' counter‑intelligence moves against Sophos' telemetry. It is a rare case where a vendor says, in effect, "Here's where we were blind, here's how an APT abused our architecture, and here's what we did about it – and by the way, they were probably doing this to our competitors too."
That level of humility is not common in our industry.
How other vendors tell their breach stories
Consider FireEye's 2020 breach, widely assessed as a state‑sponsored operation aimed at stealing its red team tools. FireEye was commendably quick to acknowledge that a "nation with top‑tier offensive capabilities" had compromised its systems and exfiltrated internal tooling, and it released hundreds of detection rules and countermeasures publicly, including Snort, YARA, and other signatures shared via GitHub. But the narrative was tightly scoped to the theft itself and defensive guidance; we got limited insight into long‑term telemetry battles, the attackers' experimentation cycles, or deep architectural introspection on how FireEye's own environment had to change as a result.
Microsoft's disclosures around the SolarWinds‑related intrusion followed a similar pattern. The company revealed that an illicit account associated with the SolarWinds campaign had been used to view some internal source code, emphasising that the account was read‑only, no engineering systems were altered, and there was no evidence of access to live services or customer data. That communication was transparent in the narrow sense – it admitted compromise and scope – but again focused on assurance ("no customer impact") rather than a narrative of how a nation‑state probed, learned from, and adapted to Microsoft's own defenses over time.
SolarWinds itself eventually described SUNBURST as a "highly sophisticated and novel" code injection into its Orion build pipeline, coordinated with U.S. government and private partners to untangle the supply‑chain attack. The company's posts explain how malicious code was inserted into builds and how the attackers mimicked legitimate traffic from U.S.-based infrastructure to evade detection, but the emphasis remains on technical reconstruction and remediation, not on multi‑year adversarial co‑evolution.
Cisco's handling of the Yanluowang incident offers another data point. Cisco confirmed that a ransomware group breached its network, stole roughly a few gigabytes of data, and attempted extortion, but stressed repeatedly that the stolen files were "not sensitive" and that there was no impact on products, services, intellectual property, or supply‑chain operations. The message is clear: yes, there was a breach, but no, it does not change your risk calculus – a familiar pattern in vendor communications.
None of these disclosures are "bad" in isolation; in fact, FireEye's rapid release of IOCs and defensive content in 2020 remains a high watermark for operational collaboration under pressure. But taken together, they illustrate how much of the industry's incident narrative is shaped around minimizing perceived customer impact and reputational damage, rather than exposing the full, messy story of how top‑tier adversaries actually learn from and abuse vendor products over years.
Radical transparency as a security control
This is where Sophos' Pacific Rim work is different, and why it matters. Instead of treating the multi‑year battle with Chinese state‑backed operators as an embarrassing episode to be contained, Sophos framed it as a shared industry problem and published a detailed case study of the adversary's tradecraft, including techniques that clearly apply to other vendors' devices and to the broader category of edge infrastructure. Publicly, Sophos has argued for "radical transparency," tying its Pacific Rim research directly to a broader Trust Center, third‑party certifications, and commitments under CISA's Secure by Design initiative.
Their own data shows that organizations want precisely this: verifiable artifacts of security maturity, clear advisories that document vulnerabilities and remediations, and explicit transparency during incidents. By publishing a five‑year nation‑state firefight in all its uncomfortable detail, Sophos has given defenders everywhere a richer threat model for what "edge compromise by a state actor" actually looks like in practice, while implicitly challenging other vendors to meet – or exceed – that level of disclosure the next time they find themselves in similar crosshairs.
In an industry where trust is scarce, the most powerful signal a security vendor can send is not "we are unbreachable," but "when the worst happens, we will tell you the truth, fast and in full." On that metric, Sophos' Pacific Rim story is more than a good Darknet Diaries episode – it is a blueprint for the kind of radical transparency this sector has been promising for years but rarely delivers