The US Treasury Department has sanctioned a Chinese cybersecurity vendor for allegedly trying to spread malware to approximately 81,000 firewall devices from Sophos. The sanctions target Sichuan Silence Information Technology and one of its employees, Guan Tianfeng, “for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide,” the Treasury Department said in last Tuesday’s announcement. “More than 23,000 of the compromised firewalls were in the United States,” the agency adds. “Of these firewalls, 36 were protecting US critical infrastructure companies’ systems.” On the same day, the US Justice Department unsealed an indictment against Guan, who allegedly also infected a firewall device at a US government agency.[1]
This comes after British cybersecurity provider Sophos published a years-long investigation into Chinese hackers targeting the company’s devices back in 2020. At the time, Sophos found evidence that a device “owned by Sichuan Silence Information Technology’s Double Helix Research Institute” helped plan the attacks.
On 10 December, federal investigators took things further by claiming that Guan discovered a previously unknown vulnerability in certain Sophos firewall products. “Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide,” the Treasury Department says.
The vulnerability, called CVE-2020-12271, can be abused to steal data, including usernames and passwords. In addition, the flaw could be paired with another attack to spread malware, including a ransomware attack.
Although Sophos discovered the threat and rolled out patches to protect customers, the Treasury Department noted, "One victim was a US energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.”
The announcement claims that Guan has been posting his security vulnerability discoveries in hacking forums under the name “GbigMao.” The Justice Department also noted, “According to Sichuan Silence’s website, it developed a product line which could be used to scan and detect overseas network targets in order to obtain valuable intelligence information.”
In response, the Treasury Department’s sanctions block US businesses and people from conducting transactions with Silence Sichuan and Guan. “The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person,” essentially cutting them off from Western banks and suppliers.
The FBI also placed Guan on its wanted list, offering up to $10 million for information that could lead to his arrest.
Sophos CISO Ross McKerchar applauded the sanctions. “Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement,” he said. Silence Sichuan couldn’t be reached for immediate comment. The company appears to have taken down its website.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.msn.com/en-us/money/other/us-sanctions-chinese-cybersecurity-firm-for-hacking-81k-firewall-devices/ar-AA1vCzrU/
Comments