ATP activated from outside?

During the night,ALL my 9.4 upgraded UTM's, showed theese (from china):

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2016-03-20 05:37:01
Traffic blocked: yes

Source IP address or host: 180.97.161.225
        
-- 
System Uptime      : 25 days 19 hours 13 minutes
System Load        : 2.07
System Version     : Sophos UTM 9.400-9

and this:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2016-03-20 04:01:43
Traffic blocked: yes

Source IP address or host: 218.60.112.227
        
-- 
System Uptime      : 25 days 17 hours 37 minutes
System Load        : 2.10
System Version     : Sophos UTM 9.400-9

But ATP is normally working from inside to outside, how could this be happening?