Jack Rhysider

This is starting to smell like a nation state actor is behind this.

Who else has that much time and resources?

And what the heck was the deal with someone from China submitting this bug the exact same time that Sophos discovered this?

Chengdu, China again?

That's where the person who submitted the bug was from.

So they took this firewall, and again, this one was running a trial license, which was actually just a software-based firewall running in a virtual machine.

And it's a virtual machine because Sophos isn't allowed to sell their firewalls to China due to export controls.

So really, nobody in China should even have a Sophos firewall.

Their suspicion was that the attackers were using this virtual firewall to practice their attacks against, develop them, and then unleash them against the world.

Because Sophos has the ability to run in a virtual machine with trial licenses, they can just spin one up real quick, try attacks on it.

If they mess up the firewall, they can just reboot it, take it down, and bring a fresh one up in minutes.

Okay, interesting.

They looked up who registered that trial license and this gave them an IP address, a username, and an email address.

And the username was GBigMau.

So now you pivot on that name.

What other Sophos products has GBigMao downloaded?

Then they took a look at his email address and wondered, has this email address been used anywhere else in the world?

So they do some OSINT investigation to see if this email is known anywhere else.

A kernel implant.

That's a nice way to say it.