U.S. authorities have unsealed charges against Chinese national Guan Tianfeng for orchestrating a large-scale cyber attack targeting Sophos firewall devices in 2020. Guan, an employee of Sichuan Silence Information Technology Company, faces charges of computer fraud and wire fraud conspiracy.
The attack exploited a critical zero-day vulnerability (CVE-2020-12271) affecting approximately 81,000 firewalls globally, with 23,000 in the United States alone. The breach impacted 36 U.S. critical infrastructure companies, potentially threatening public safety.
Key Developments:
– Guan developed and tested the vulnerability, using domains mimicking Sophos to conceal the attack
– Attackers deployed the Asnarök trojan to steal sensitive data and credentials
– When detected, the group attempted to deploy Ragnarok ransomware
– A similar attack pattern emerged in 2022 with new vulnerabilities (CVE-2022-1040 and CVE-2022-1292)
U.S. Response:
– Treasury Department sanctioned both Sichuan Silence and Guan
– State Department offered $10 million reward for information
– FBI launched an investigation into the breach
Sichuan Silence, based in Chengdu, has been identified as a cybersecurity contractor for Chinese intelligence agencies, providing services including network exploitation and public sentiment suppression. The company was previously linked to COVID-19 disinformation campaigns on social media platforms.
Sophos CISO Ross McKerchar emphasized the growing threat of Chinese state-sponsored cyber attacks and called for increased industry collaboration and transparency in addressing vulnerabilities.