This post is also available in:
עברית (Hebrew)
The US government has indicted a Chinese hacker and sanctioned the cybersecurity firm he worked for, following a cyber espionage campaign that compromised tens of thousands of firewalls, some of which were protecting critical US infrastructure. The attack, which posed significant risks to national security, was orchestrated by Guan Tianfeng, a security researcher employed by Sichuan Silence, a Chinese cybersecurity company with known ties to Beijing’s intelligence agencies.
The breach, which occurred between April 22 and April 25, 2020, exploited a zero-day vulnerability in firewall products manufactured by UK-based cybersecurity firm Sophos. Guan and his co-conspirators infected around 81,000 vulnerable devices, including 36 firewalls safeguarding US critical infrastructure, according to Cybernews. The malware that was installed during the attack aimed to steal sensitive user information. However, the hackers escalated their efforts, using the Ragnarok ransomware variant to disable antivirus software, encrypt victim systems, and demand ransom for recovery.
Sophos detected the breach and rapidly patched the vulnerabilities, minimizing damage. The attackers, however, adapted by modifying their malware to ransomware, which was also fixed by Sophos. The vulnerability was later connected to a broader investigation into Chinese state-sponsored hacking group Pacific Rim.
One of the most worrisome aspects of the breach was its potential impact on industries like energy. US officials highlighted that had the ransomware attack been successful, it could have caused catastrophic failures in critical operations, including oil rigs, risking a significant loss of life.
On Tuesday, December 10th, the US Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on both Sichuan Silence and Guan for their involvement in cyber-enabled activities that threaten US national security. The sanctions follow investigations that revealed Sichuan Silence had provided cyber exploitation tools and services, including network surveillance and brute-force password cracking, to Chinese intelligence agencies. These actions highlight the growing threat posed by China-based malicious actors to US infrastructure.
The Department of Justice (DoJ) indicted Guan on charges of conspiracy to commit computer and wire fraud, accusing him of developing and testing the zero-day vulnerability. To further incentivize the pursuit of Guan and other involved parties, the US State Department announced a reward of up to $10 million for information leading to Guan’s capture or the identification of additional conspirators.
This cyberattack underscores the persistent and evolving threat posed by state-sponsored hackers from China, who continue to target critical infrastructure and pose a significant challenge to US cybersecurity efforts.
