Firewalls Under Fire: China's 5+ year campaign to penetrate perimeter network defenses

Presented at DEF CON 33 (2025), Aug. 8, 2025, 2:30 p.m. (45 minutes).

For more than five years, firewall vendors have been under persistent, cyclical struggle against a well-resourced and relentless China-based adversary that has expended considerable resources developing custom exploits and bespoke malware expressly for the purpose of compromising enterprise firewalls in customer environments. In this first-of-its-kind presentation, Andrew Brandt will walk attendees through the complete history of the campaign, detailing the full scope of attacks and the countermeasures one firewall vendor developed to derail the threat actors, including detail into the exploits targeting specific firewalls, and malware deployed inside the firewalls as a result of these attacks. Fundamental to this presentation is the fact that the adversary behind this campaign has not targeted only one firewall vendor: Most of the large network security providers in the industry have been targeted multiple times, using many of the same tactics and tools. So this serves not merely as a warning to the entire security industry, but as an urgent call to the companies that make up this industry to collectively combat this ongoing problem. Because at the end of the day, we all face the same threat, and we cannot hope to withstand the tempo and volume of these attacks alone. We must work together. References: - [link](https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)

Presenters:

• Andrew Brandt / Spike   as Andrew "Spike" Brandt
  Andrew Brandt is a former investigative journalist who switched careers to work in information security in 2007. He is an experienced malware analyst, network forensicator, and cyberattack untangler, who seeks to prevent cybercriminals from being able to victimize others. He has served as the director of threat research or as a principal researcher at several large cybersecurity companies, and currently serves on the board of World Cyber Health, the parent organization that operates the Malware Village at Defcon and other conferences. As the executive director of Elect More Hackers, he is active in cybersecurity and technology policy, and seeks to recruit likeminded folks to run for elected office. He lives in Boulder, Colorado.

Similar Presentations:

• VB2018 / Fire & ice: making and breaking macOS firewalls
• DerbyCon 6.0 Recharge (2016) / Fire Away! Sinking the Next Gen Firewall
• Black Hat USA 1997 / Firewalls: Not enough of a good thing