US Sanctions Chinese Cybersecurity Firm for Firewall Exploit, Ransomware Attacks

****SUMMARY****

• Sanctions on Chinese Firm: The US sanctioned Sichuan Silence Information Technology and employee Guan Tianfeng for exploiting a firewall vulnerability in a major global cyberattack.

• Global Impact: Between April 22–25, 2020, malware compromised 81,000 firewalls worldwide, including 23,000 in the US, targeting sensitive infrastructure.

• Zero-Day Exploit: The attack leveraged a zero-day vulnerability, initially stealing credentials and later deploying ransomware like Ragnarok.

• Critical Incident: A US energy company drilling operation narrowly avoided catastrophic damage due to the timely detection of the attack.

• Nation-State Links: Sichuan Silence is connected to Chinese government agencies and high-profile cyber espionage campaigns, raising concerns about broader national security threats.

The United States has taken strong action against a Chinese cybersecurity company, Sichuan Silence Information Technology, for its role in a massive global cyberattack. The company, along with one of its employees, Guan Tianfeng, has been sanctioned for exploiting a critical vulnerability in a popular firewall product.

****The Background:****

Between April 22 and 25, 2020, Guan, a security researcher at Sichuan Silence, exploited a critical vulnerability, to deploy malicious software on approximately 81,000 firewalls globally, including 23,000 in the United States (36 of which were deployed to protect critical infrastructure).

This breach impacted thousands of businesses, including several critical infrastructure companies in the United States. The initial intent of the malware was to steal sensitive information, such as usernames and passwords. However, after the attack was discovered, the malware was modified to deploy ransomware, encrypting victims’ data and demanding a ransom for its decryption.

One particularly alarming incident mentioned by the US Treasury Department involved a US energy company engaged in active drilling operations. If this attack wasn’t detected and thwarted, it could have led to severe consequences, potentially including loss of life.

The attack, reportedly, leveraged a zero-day vulnerability. It was a previously unknown flaw that allowed the hackers to gain unauthorized access to the targeted systems. They then installed malware, including the destructive Ragnarok ransomware, on the compromised devices.

In response to this cyber threat, the US government has implemented a multi-faceted approach. The Treasury Department has imposed sanctions on Sichuan Silence and Guan, while the Justice Department has unsealed an indictment charging Guan with international hacking conspiracy.

Guan Tianfeng is wanted by the #FBI on charges of conspiracy to commit computer fraud and conspiracy to commit wire fraud. The Rewards For Justice Program, US Department of State, offers a reward of up to $10 million for information: https://t.co/3XNEF6Gbxy pic.twitter.com/Pk4F22vMFK

— FBI Most Wanted (@FBIMostWanted) December 10, 2024

The indictment reveals that Sichuan Silence is a Chinese government contractor, providing services to the Ministry of Public Security and other state-run entities. The company has been linked to various cyber espionage and disinformation campaigns.

Sichuan Silence has a history of involvement in cyber espionage and disinformation campaigns. The company has been linked to several high-profile attacks, including those carried out by notorious hacking groups like APT41, APT31, and Volt Typhoon.

For your information, the indictment Last month, cybersecurity firm Sophos discovered a vulnerability in its XG Firewall product, CVE-2020-12271, used by Chinese hackers to install the Asnarök malware. The company collaborated with European law enforcement to confiscate the server that deployed the malware.

In addition, Sophos claimed to have observed years-long surveillance, sabotage, and cyberespionage campaigns targeting critical infrastructure and government targets in South and Southeast Asia, including airports, military hospitals, nuclear energy suppliers, state security apparatus, and federal ministries.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, shared the following comment with Hackread.com:

“This is a pretty serious, widely successful attack and generally, if you hear about a Chinese company intentionally compromising US critical infrastructure, you immediately think it must have been nation-state motivated and maybe that was also true of this case or it was like many supposed Chinese cybersecurity companies which are really offensive hacking entities, it was a bit of both or a target of opportunity, where Guan possibly shared his newly gained access to US critical infrastructure companies with the PRC.“

Roger noted that “Installing ransomware is not typically a PRC objective. They don’t need to steal money and installing ransomware is increasing the odds of early detection. Hence, this does seem more an issue related to one individual, Guan, or his employer, versus a directed nation-state operation. I can’t see PRC handlers excited that Guan was installing unneeded malware that would only increase the odds of detection.“

1. FBI-Wanted Hacker Arrested in Russia
2. Russian National Jailed for Smuggling US Military Tech
3. US Charges 5 MGM Hackers from Scattered Spider Gang
4. Feds Bust N. Korean Identity Theft Ring Targeting US Firms
5. US Takes Down Notorious Warzone RAT Malware Operation