The UK’s cybersecurity agency released a report describing a sophisticated new backdoor dubbed “Pygmy Goat” found on Sophos XG firewall devices. The malware is said to be the work of Chinese state-sponsored hackers and includes capabilities that grant attackers control over compromised systems.

The report follows a series of Sophos reports detailing five years of encounters with Chinese threat actors increasingly targeting networking devices globally, including Sophos' own products. Since 2018, Sophos has defended against escalating attacks, including a breach of its Cyberoam office in India, where attackers exploited a wall-mounted display for initial access. Sophos described the attackers as adaptable and capable of escalating their tactics.

In addition to stealing VPN credentials and tampering with firmware for persistence, the threat actors employed sophisticated tools, such as a custom rootkit, TERMITE in-memory dropper, trojanized Java files, and a UEFI bootkit. Sophos linked these attacks to groups such as Volt Typhoon, APT31, and APT41/Winnti, suggesting that Chinese researchers might develop and share zero-day vulnerabilities with both vendors and Chinese government-aligned entities. According to the report, the group allegedly exploited a critical SQL injection vulnerability (CVE-2020-12271) as part of a widespread campaign to exfiltrate sensitive data from firewall devices around the world.

The Pygmy Goat backdoor, uncovered in the SSH daemon of Sophos firewalls, is designed to evade detection by emulating legitimate traffic. Once deployed, it enables attackers to manipulate the firewall using remote shell access, capture packets, set up cron tasks, and create SOCKS proxy servers. The malware is controlled via SSH or encrypted ICMP packets, making it nearly indistinguishable from benign traffic—a testament to its creators’ sophistication.

The agency noted that the malware does not rely on any proprietary libraries from Sophos. Instead, it’s compatible with a basic Ubuntu distribution, suggesting potential adaptability for various systems.

Pygmy Goat was also observed utilizing a fraudulent security certificate, mimicking one issued by another firewall vendor Fortinet frequently targeted in cyberattacks. This technique hints that the malware may have initially been crafted for FortiGate devices, then later adapted for use on Sophos systems.

The UK cybersecurity agency highlighted that the recent tactics, techniques, and procedures (TTPs) used in Pygmy Goat bear resemblance to those employed in attacks against Fortinet’s FortiGate devices.

Following the reports, the FBI announced it is seeking public assistance in identifying individuals responsible for this series of breaches, which involved targeting public and private sector edge devices and networks