Chinese hacker part of espionage plot exploited 81,000 Sophos firewalls, DOJ says


A Chinese hacker indicted on Tuesday and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising “tens of thousands of firewalls” – some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department’s Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

Federal indictment and broader implications

ADVERTISEMENT

A federal court in Indiana on Tuesday unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one “used by an agency of the United States.”

Guan, employed by the Chinese cybersecurity firm Sichuan Silence – a known contractor for Beijing intelligence – was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

FBI most wanted poster of Chinese hacker Guan Tianfeng (Guan)

DoJ officials said between April 22nd and April 25th, 2020, Guan and his co-conspirators infected approximately 81,000 vulnerable devices, including 36 firewalls protecting US critical infrastructure.

The malware deployed by the attackers was designed to steal sensitive user information, but once compromised, Guan escalated the attacks.

Using the Ragnarok ransomware variant, the hackers would further disable their victims’ anti-virus software, encrypt their systems, and demand payment if victims attempted to remediate the breach.

To better hide their activity, at first, the attackers “registered and used domains designed to look like they were controlled by Sophos, such as sophosfirewallupdate.com.”

The DoJ said Sophos discovered the intrusion and remediated its customers’ firewalls in approximately two days. This caused the co-conspirators to modify the malware into ransomware, which Sophos also ultimately thwarted.

ADVERTISEMENT

The zero-day vulnerability was later designated CVE 2020-12271 and tied to one of Sophos' separate five-year-long investigations into Chinese state-sponsored hackers known as Pacific Rim.

One particularly alarming aspect of the 2020 attack was its potential impact on critical operations, including an energy company actively involved in drilling operations.

US officials warned that had the ransomware succeeded, it could have resulted in catastrophic outcomes, such as “causing oil rigs to malfunction potentially causing a significant loss in human life.”

“Today’s indictment underscores our commitment to protecting the public from malicious actors who use security research as a cover to identify vulnerabilities in widely used systems and exploit them,” said US Attorney Clifford D. Johnson for the Northern District of Indiana.

Even though Sohpos' rapid response mitigated potential damage, the company said the attack continues to highlight that "the scale and persistence of Chinese nation-state adversaries pose a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses."

Treasury sanctions and $10M reward revealed

In coordination with the DoJ on Tuesday, the Treasury Department imposed sanctions on Sichuan Silence and Guan for their "direct involvement in cyber-enabled activities that pose a significant threat to US national security."

According to authorities, the Chengdu-based firm has long served as a third-party contractor for the People’s Republic of China (PRC) intelligence wing, supplying tools and expertise for cyber exploitation.

ADVERTISEMENT

The Treasury’s investigation revealed those tools and services included network exploitation, email monitoring, brute-force password cracking, and public surveillance products for PRC intelligence agencies.

The PRC was even said to have provided the cybersecurity company with equipment designed to probe and exploit network routers.

Meanwhile, Guan, a security researcher at the firm, was known to regularly compete in cybersecurity tournaments and often shared newly discovered vulnerabilities, such as zero-days, in online forum chats under his moniker "GbigMao."

It is believed that Guan’s role in the conspiracy was to develop and test the zero-day vulnerability used to conduct the attack, the FBI said.

The US State Department also announced a reward of up to $10 million for information leading to Guan's arrest or the identification of other individuals involved.

jurgita Paulina Okunyte Gintaras Radauskas vilius
Don’t miss our latest stories on Google News

Guan is wanted for accessing Sophos firewalls without authorization, causing damage to them, and retrieving and exfiltrating data from both the firewalls themselves and the computers behind them, the FBI wanted bulletin states.

Born on January 7th, 1994, Guan is thought to be currently residing in Sichuan Province, China. He also has ties to or may visit Bangkok, Thailand.

ADVERTISEMENT

Malicious threat actors in China represent “one of the greatest and most persistent threats to US national security," US authorities said.