US sanctions Chinese cyber firm for compromising ‘thousands’ of firewalls in 2020

U.S. officials unveiled sanctions on Tuesday against a Chinese cybersecurity company that played a role in compromising thousands of firewalls around the world. 

Sichuan Silence Information Technology Company and one of its employees, Guan Tianfeng, were the targets of the sanctions, and the Justice Department indicted Guan for his role in the attacks. The State Department also issued a $10 million reward for additional information on the company or Guan.

U.S. officials said Guan discovered a zero-day vulnerability in an unnamed popular firewall product and used the bug to install malware on about 81,000 firewalls owned by thousands of businesses worldwide — including several U.S. critical infrastructure companies — in April 2020. 

“The defendant and his conspirators compromised tens of thousands of firewalls and then continued to hold at risk these devices, which protect computers in the United States and around the world,” said Assistant Attorney General for National Security Matthew Olsen.

Guan sought to steal data from compromised systems, including usernames and passwords, but also tried to infect systems with the Ragnarok ransomware. 

The campaign targeted more than 23,000 firewalls in the U.S. and 36 that were specifically deployed to protect the systems of U.S. critical infrastructure. U.S. officials claimed the impact of a ransomware attack on these devices “could have resulted in serious injury or the loss of human life.”

“One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life,” the Treasury Department said. 

Treasury and Justice Department officials did not respond to requests for comment about what brand of firewalls were affected, but the indictment names cybersecurity company Sophos — which reported on a series of intrusions on its Sophos' XG firewall product in April 2020 that involved the use of the Ragnarok ransomware. 

The incidents caused alarm at the time because of how popular the product is among thousands of businesses worldwide. 

In October, the company released a lengthy package of retrospective reports about those attacks, and the FBI asked the public for help in tracking down the people behind the breaches. 

Sophos said it spent five years in a tit-for-tat battle with researchers from Sichuan Silence as they sought to exploit vulnerabilities in Sophos products. The company saw Sichuan Silence hand off several vulnerabilities to the Chinese government, which subsequently used the bugs in espionage operations launched by prolific hacking groups like APT41, APT31 and Volt Typhoon.  

“The zero-day vulnerability Guan Tianfeng and his co-conspirators found and exploited affected firewalls owned by businesses across the United States, including in Indiana,” said FBI Special Agent in Charge Herbert Stapleton. 

“If Sophos had not rapidly identified the vulnerability and deployed a comprehensive response, the damage could have been far more severe. Sophos’s efforts combined with the dedication and expertise of our cyber squad formed a powerful partnership resulting in the mitigation of this threat.”

Beijing connections

Guan is a well-known security researcher who goes by the name GbigMao, often competing on behalf of Sichuan Silence at cybersecurity tournaments. He frequented vulnerability and exploit forums, typically sharing zero-day bugs he discovered. 

U.S. officials accused Chengdu-based Sichuan Silence of being a contractor for Chinese intelligence services like the Ministry of Public Security, providing Beijing’s government with “computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services.”

Sichuan Silence allegedly provides customers with equipment that helps them hack into network routers — a key tactic used in more recent Chinese campaigns like Volt Typhoon and Salt Typhoon. 

Sichuan Silence is well known to security researchers because the company has been tied to several disinformation campaigns identified by Facebook-owner Meta. The company was also named within a trove of leaks that emerged earlier this year covering another shadowy security firm named I-Soon. 

The Natto cybersecurity blog explained that Sichuan Silence spun itself off from a larger state-owned company in 2013 and has since grown to have nearly 300 employees. Sichuan Silence is part of a coterie of Chinese security firms providing hacking services to both local officials and national government organizations. 

“The Department of Justice will hold accountable those who contribute to the dangerous ecosystem of China-based enabling companies that carry out indiscriminate hacks on behalf of their sponsors and undermine global cybersecurity,” Olsen said. 

Sophos incident

Sophos said last month that one vulnerability the Sichuan Silence researchers discovered — CVE-2020-12271 — affects the company’s XG Firewall product and was used in April 2020 by Chinese hackers to install the Asnarök malware. Sophos worked with European law enforcement in 2020 to track down and confiscate the server used to deploy the malware.

In the lengthy reports, Sophos researchers outlined a series of years-long surveillance, sabotage and cyberespionage campaigns targeting both small and large “critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries.” 

Ross McKerchar, CISO at Sophos, told Recorded Future News that the “scale and persistence of Chinese nation-state adversaries poses a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses.”

McKerchar thanked the U.S. government for taking action against the company and said disrupting Chinese operations “demands individual and collective action across the industry, including with law enforcement.” 

“We can’t expect these groups to slow down, if we don’t put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software,” he said.  

The sanctions on Guan and Sichuan Silence are part of a larger U.S. government effort to address widespread concerns about China’s infiltration of popular edge devices like routers, firewalls and VPN services.