Sanctions Imposed on Chinese Cybersecurity Firm Linked to Ransomware Threats Against Critical Infrastructure.
The United States government has unsealed an indictment against Guan Tianfeng, a Chinese national accused of exploiting a zero-day vulnerability to breach over 80,000 Sophos firewall devices worldwide. The US Department of Justice (DoJ) charged Guan, also known by the aliases “gbigmao” and “gxiaomao,” with conspiracy to commit computer fraud and wire fraud.
According to US authorities, Guan was an employee of Sichuan Silence Information Technology Company, Limited, a Chengdu-based cybersecurity firm that has been linked to China’s intelligence services. Guan is accused of developing and testing the zero-day vulnerability, CVE-2020-12271, a critical SQL injection flaw that enabled attackers to achieve remote code execution on Sophos firewalls. The FBI claims this exploit was used to steal sensitive data and infiltrate thousands of devices globally.
The attacks reportedly began in April 2020, soon after the zero-day flaw was disclosed to Sophos by researchers from the Double Helix Research Institute, an entity linked to Sichuan Silence. Just one day after this disclosure, real-world exploitation of the vulnerability was observed. Hackers used the Asnarök trojan to exfiltrate usernames, passwords, and other sensitive information from compromised firewalls.
Sophos later identified another attack in March 2022 involving two additional vulnerabilities — CVE-2022-1040 and CVE-2022-1292 — which were exploited to execute arbitrary code. This attack, dubbed “Personal Panda,” once again demonstrated how threat actors were able to breach security measures in Sophos firewalls.
According to the DoJ, Guan and his co-conspirators registered fraudulent domain names resembling legitimate Sophos URLs, such as sophosfirewallupdate[.]com, to mislead targets and mask their activities. When attempts were made to remove malware from infected systems, the attackers escalated their operations by deploying a modified version of the Ragnarok ransomware, which encrypts files and locks users out of their systems.
The breach had serious implications for US national security. According to the US Treasury Department, more than 23,000 of the 81,000 compromised firewalls were located in the United States, with at least 36 of them protecting critical infrastructure entities, including energy companies.
The US Treasury noted that one of the targeted entities was “actively involved in drilling” at the time of the attack. The department warned that, had the attack not been mitigated, it could have caused malfunctions in oil rigs, potentially leading to life-threatening scenarios.
“Guan’s deployment of malware to US critical infrastructure companies in April 2020 put American lives at risk,” the Treasury Department stated.
In addition to the indictment, the US Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on both Sichuan Silence and Guan. The sanctions restrict the company and its associates from conducting financial transactions in US markets, limiting their access to the global financial system. The US Department of State has also announced a reward of up to $10 million for information leading to the identification or capture of individuals affiliated with Sichuan Silence or Guan.
According to the US government, Sichuan Silence is believed to be a cybersecurity contractor for China’s intelligence agencies. It allegedly provides these agencies with advanced capabilities for network exploitation, password cracking, and public sentiment monitoring.
This is not the first time Sichuan Silence has been linked to controversial activities. In December 2021, Meta Platforms (formerly Facebook) removed hundreds of accounts, pages, and groups from Facebook and Instagram tied to the company. These accounts were allegedly part of a disinformation campaign that promoted false narratives about the origins of COVID-19.
The indictment and sanctions highlight ongoing concerns about China’s role in global cyberattacks. Ross McKerchar, chief information security officer at Sophos, emphasized that Chinese cyber actors pose a “significant threat” to critical infrastructure and businesses worldwide.
“Their relentless determination redefines what it means to be an Advanced Persistent Threat (APT),” said McKerchar. “Disrupting this shift demands individual and collective action across the industry, including with law enforcement. We can’t expect these groups to slow down if we don’t put the time and effort into out-innovating them.”
The US government has taken a “whole-of-government” approach to address threats posed by Chinese cyber actors, utilizing diplomatic, financial, and legal tools to deter future attacks. The indictment, sanctions, and financial incentives are part of a broader effort to safeguard US critical infrastructure and defend against Advanced Persistent Threats (APTs) linked to foreign governments.
With zero-day vulnerabilities posing a persistent risk to companies and public infrastructure alike, experts have called for greater transparency, faster patching, and stronger industry collaboration to counter emerging threats.
The charges against Guan Tianfeng signal a broader strategy to expose and hold accountable individuals and entities that target US assets in cyberspace. Whether this action will deter future cyberattacks remains to be seen.
Reuters, the Hacker News, and the US Department of State contributed to this report.
