A federal indictment unsealed in Hammond, Indiana, has charged Chinese national Guan Tianfeng with deploying malware that exploited a zero-day vulnerability in Sophos firewall devices, affecting tens of thousands of networks worldwide. Guan, an employee of Sichuan Silence Information Technology Co. Ltd., allegedly conspired to infect approximately 81,000 firewalls in 2020, including those safeguarding critical U.S. infrastructure.
Attacking firewalls worldwide
Guan and his co-conspirators exploited a zero-day vulnerability (CVE-2020-12271) in Sophos firewalls to develop and deploy malware. This malware was designed to exfiltrate sensitive data, such as usernames and passwords, and encrypt systems when victims attempted remediation. Between April 22 and 25, 2020, the attack targeted thousands of businesses globally, with 23,000 compromised firewalls in the U.S. alone. The malware’s encryption capability, tied to the Ragnarok ransomware variant, posed significant risks, particularly to critical infrastructure.
One victim, a U.S.-based energy company, was involved in active drilling operations at the time of the compromise. Had the ransomware succeeded, the attack could have led to catastrophic equipment malfunctions, endangering human lives.
Sophos, a leading UK-based cybersecurity company specializing in network security appliances, discovered the breach and mitigated the vulnerability within two days. The swift action prevented further damage, although it forced the attackers to modify their malware. The attackers also registered fake domains, such as sophosfirewallupdate.com, to disguise their activity.
Links to the PRC government
Court documents reveal that Guan worked at Sichuan Silence, a Chengdu-based cybersecurity firm with deep ties to China’s Ministry of Public Security. Sichuan Silence is known for developing tools for network exploitation and intelligence gathering, often on behalf of Chinese state interests. The tools used in the Sophos firewall exploit, including pre-positioning devices, were allegedly provided by the company.
Guan, operating under aliases like “gbigmao,” had previously published details about zero-day vulnerabilities on hacking forums and participated in cybersecurity tournaments representing Sichuan Silence.
In response to the incident, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Sichuan Silence and Guan under Executive Orders 13694 and 13757. These sanctions block their U.S.-based assets and prohibit financial transactions involving them.
The U.S. Department of State also announced a reward of up to $10 million for information leading to Guan’s arrest or insights into the malicious cyber activities linked to Sichuan Silence. Guan is believed to reside in Sichuan Province, China, and may have ties to Bangkok, Thailand.
Windows 11 December Patch Tuesday Fixes 72 Flaws, One Zero-Day
Leave a Reply