174: Pacific Rim

This episode of Darknet Diaries dives into the unprecedented cyber campaign known as the Pacific Rim Campaign, a multi-year, state-sponsored attack by Chinese threat actors targeting Sophos firewalls. The story begins in 2018 when attackers infiltrated CyberRome, a company acquired by Sophos, stealing its source code to study vulnerabilities. Two years later, in 2020, a critical SQL injection flaw in the Sophos XG firewall allowed attackers to redirect updates to malicious domains, compromising an estimated 80,000 devices. Sophos responded with a groundbreaking hotfix deployed remotely—something never done before—despite ethical and legal concerns. The investigation revealed a sophisticated, coordinated effort by multiple actors, including the infamous GBigMao and T-Stark, operating from China and using trial firewalls to test exploits. Sophos developed a stealthy kernel implant to spy on the attackers, gaining unprecedented insight into their operations. The campaign evolved into a relentless series of zero-day exploits, with attackers targeting specific organizations across the Asia-Pacific region, including government agencies and human rights groups. The FBI eventually added GBigMao (Guan Tianfeng) to its Most Wanted list with a $10 million bounty. The episode ends with the realization that the attacks continue, highlighting a dangerous imbalance: a single company fighting a nation-state actor with no legal or technical parity. The story underscores the need for transparency, telemetry, and proactive defense in an increasingly hostile digital landscape.