The US government has imposed sanctions on Chinese cybersecurity firm Sichuan Silence Information Technology and one of its employees, Guan Tianfeng, for their alleged involvement in a 2020 global cyberattack that exploited zero day vulnerabilities in firewalls.The actions were announced by the US Department of the Treasury and the Department of Justice (DOJ), which also unsealed an indictment against Guan.The cyberattacks reportedly targeted tens of thousands of devices worldwide, compromising over 80,000 systems, including those safeguarding critical infrastructure in the United States.”Today’s action underscores our commitment to exposing these malicious cyber activities, many of which pose significant risks to our communities and our citizens, and to holding the actors behind them accountable for their schemes,” Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith said in a statement. The DOJ stated that the attackers exploited a zero day vulnerability in Sophos firewall products to deploy malware capable of stealing credentials and installing ransomware.”The malware that exploited the vulnerability discovered by Guan was designed to steal information from infected computers and to encrypt files on them if a victim attempted to remediate the infection,” the DOJ said in a statement.According to the indictment, in 2020, Guan and his co-conspirators allegedly developed, tested, and deployed malware that exploited a zero day vulnerability in approximately 81,000 Sophos firewalls worldwide, including those within organizations in the Northern District of Indiana.This vulnerability, later identified as CVE-2020-12271, was used to compromise the targeted systems.The malware was specifically designed to extract sensitive information from the firewalls. To obscure their operations, Guan and his co-conspirators reportedly registered and utilized domains that mimicked Sophos’ official sites, such as sophosfirewallupdate[dot]com.Sophos discovered the breach and acted swiftly, mitigating the vulnerability and securing customers’ firewalls within two days. In response, the attackers allegedly modified their malware to include a failsafe: ransomware encryption software designed to activate if victims attempted to remove the malicious code.The attacks reportedly impacted over 23,000 devices in the United States, and more than 50,000 globally. Victims included organizations across the energy, healthcare, and financial sectors.Sophos said in one of its reports that advanced persistent threat groups based in China had been targeting its networking appliances for over five years, noting that these groups displayed an “unusually deep understanding of the internal architecture of the device firmware.The malware, identified as a precursor to the Ragnarok ransomware, sought to encrypt files and demand payment for their release.
A closer look at Sichuan Silence
Based in Chengdu, China, Sichuan Silence is a cybersecurity contractor serving key People’s Republic of China (PRC) intelligence services. The company offers services such as email monitoring, network exploitation, and password-cracking tools, according to court documents.”Sichuan Silence’s pre-positioning device played a pivotal role in enabling Guan’s malware deployment,” the DOJ indictment revealed. The company’s ties to the PRC government further highlighted concerns over the state-sponsored nature of cyber threats targeting US interests.Guan’s activities were not limited to corporate espionage. Under the alias “GbigMao,” he actively participated in cybersecurity tournaments and shared zero-day exploits on vulnerability forums, the DOJ said.
Sanctions and criminal charges
The Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against Sichuan Silence and Guan under Executive Order 13694, which targets malicious cyber actors.”These sanctions are part of a broader effort to hold perpetrators of cyber-enabled attacks accountable,” the department said in the statement.As a result, all of Guan’s US-based assets, and those of the company, have been frozen, and US entities are prohibited from conducting transactions with them.Meanwhile, the DOJ unsealed charges against Guan for conspiracy to commit computer fraud, wire fraud, and identity theft.Additionally, the US Department of State has announced a reward of $10 million for any information on Sichuan or Guan.”This indictment underscores the growing threat posed by cyberattacks and our commitment to pursuing those who target US infrastructure,” Assistant Attorney General Matthew G. Olsen of the National Security Division said in the statement.
Global implications
The case has sparked global concern over the potential misuse of cybersecurity research and tools. Although Sichuan Silence is privately owned, the US alleges links between its activities and Chinese intelligence agencies.The exploitation of zero day vulnerabilities underscores the increasing sophistication of cyberattacks. This is another example of how zero day vulnerabilities are weaponized to compromise sensitive systems.The DOJ credited private sector partners for their assistance in identifying and mitigating the malware.Sophos, the company whose firewalls were exploited, issued patches in April 2020 and has since worked to bolster its security measures.
Broader cybersecurity concerns
The US government emphasized the importance of international cooperation in addressing cybersecurity threats.”Cyberattacks of this nature not only harm US businesses and infrastructure, but also undermine the safety and security of systems worldwide,” added the Treasury Department in its statement.The incident highlights the need for governments, companies, and cybersecurity professionals to collaborate in identifying and mitigating risks. With the growing threat of state-linked cyber activities, experts urge heightened vigilance to protect critical infrastructure and sensitive data.This development is seen as part of the US’s broader effort to combat cyber-enabled attacks targeting global infrastructure and sensitive systems. The sanctions and charges signal a stern warning to entities exploiting digital vulnerabilities for malicious purposes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3621864/us-sanctions-chinese-cybersecurity-firm-over-global-malware-campaign.html
