Sophos Firewall Hack Hits Government Networks Using Custom “Pygmy Goat” Malware

Sophos firewalls on government networks have been compromised by a new, stealthy malware called “Pygmy Goat,” according to security researchers from the UK’s National Cyber Security Center (NCSC).

The hack is part of a larger, prolonged operation known as “Pacific Rim,” which has been targeting Western government networks—particularly in the U.S.—for several years.

Investigators have traced this activity back to state-sponsored threat actors, likely originating from China.

A Decade-Long Threat: The Pacific Rim Operation

The Pacific Rim campaign has been ongoing for nearly five years, and its focus is squarely on cyber-espionage. Sophos XG firewalls were a key target in this operation, as they provide crucial access points to secure government networks.

By gaining access to these edge devices, attackers have been able to obtain sensitive information, control network traffic, and maintain long-term access to compromised systems.

This operation involves sophisticated techniques, likely pointing to multiple Chinese-speaking hacking groups, including the notorious Volt Typhoon.

As part of the Pacific Rim campaign, these groups deployed various custom tools to breach defenses, with “Pygmy Goat” standing out as an advanced backdoor.

Pygmy Goat: A Stealthy Backdoor Malware

“Pygmy Goat” is an advanced backdoor designed for Linux systems, specifically targeting Sophos XG firewall devices. Built as an x86-32 ELF shared object, this malware allows attackers to gain covert access to government networks.

The NCSC report highlights how Pygmy Goat expertly hides malicious traffic by disguising it as legitimate Secure Shell (SSH) connections, making it difficult to detect.

Another feature that makes Pygmy Goat particularly insidious is its ability to utilize encrypted Internet Control Message Protocol (ICMP) packets for covert communication.

This capability allows the malware to remain hidden, operating within the firewall to evade standard monitoring tools and escape detection by security software.

Persistent Remote Control and Network Manipulation

Pygmy Goat is far more than a simple backdoor. It offers persistent remote access and grants attackers significant control over compromised devices.

With this access, attackers can manipulate the firewall and, by extension, the broader network infrastructure. This persistent access gives attackers the ability to gather intelligence, exploit vulnerabilities, and carry out unauthorized actions undetected for extended periods.

Such backdoors also pose a risk to any devices connected to the infected firewalls, as attackers could use the foothold to move laterally within the network, escalating the risk of additional data breaches and system compromises.

Similarities to Past Attacks: “Castletap” and “Tstark”

While Pygmy Goat is new, researchers note similarities to previous malware campaigns attributed to Chinese threat groups.

BleepingComputer has pointed out that the tactics, techniques, and procedures (TTPs) employed by Pygmy Goat resemble those used by “Castletap,” another backdoor malware linked to Chinese state-sponsored hackers.

Sophos has also reported connections to a rootkit employed by a Chinese group known as “Tstark” in 2022.

Both the Castletap and Tstark campaigns share strategic similarities with the Pacific Rim operation, indicating that Pygmy Goat could be part of a continuous evolution of cyber-espionage tools deployed by the same or affiliated threat actors.

FBI Involvement and the Ongoing Threat

The FBI, recognizing the severity of the Pacific Rim campaign, has requested public assistance in identifying the attackers.

This request underscores the threat’s scope and complexity, as it requires international collaboration to track and counteract these highly skilled groups.

The Pacific Rim operation—and Pygmy Goat specifically—demonstrates that threat actors are investing in highly specialized malware to exploit weak points in government security systems.

This relentless focus on edge devices, like firewalls, highlights the need for organizations to adopt multi-layered security measures and stay updated on the latest cyber defense tactics.