Craig Jones

We found the IP actually related back to Chengdao in China.

It was about $10,000, I think.

We kind of worked out that there were a huge amount of devices affected.

I think in the aimed FBI report that came out about this, I think they mentioned 80,000.

It has a guess that it's probably more, you know.

It was a wget to a domain called SophosFirewallUpdate.com.

And it's kind of strange because we actually monitor all domain registrations.

It's kind of part of our kind of core security, like ops function.

So every single like cert that was registered, every domain that was registered, we kind of pop up and, you know, anything infringed on software's IP, we attempt to pull back, you know.

And it was one that had popped up like a little while ago, but nothing had kind of come of it, you know.

But actually seeing this thing in operation was quite like, quite jarring, you know.

Yeah, so effectively, what they could do, I mean, the truth is anything, what they really were after was system configuration and passwords.

Now, I've always suspected that this was something that they expected to run quietly for them to kind of pull that configuration, the passwords quietly.

and then for them to kind of delete any presence they ever had on those firewalls and then for them to have a really easy and simple access campaign

So it was very much like an incredibly tense situation where we first had to get a hold of one of these devices.

You know, we set multiple teams up to work out what happened and to really do some in-depth incident response on this.

We're incredibly lucky, you know, we had the entire team

arm of Sophos Labs to help us kind of reverse engineer this stuff.

I think that's what's important as well.

It's like, this isn't something that's just kind of done.