US sanctions Sichuan Silence and employee Guan Tianfeng for a major firewall exploit that reached almost 81,000 devices worldwide.
On December 10, 2024, the US State Department issued sanctions on Sichuan Silence Information Technology Company, Limited (“Sichuan Silence”) and Guan Tianfeng, an employee of the company. Guan is also being indicted for developing the exploit that turned a zero-day vulnerability in a popular firewall from Sophos (a British software and hardware company) into an international malware campaign.
On April 22, 2020, Sophos shared that their firewall was being attacked on both physical and virtual units, allowing for an outsider to gain access to devices with the software and extract sensitive data, namely “all local usernames and hashed passwords of any local user accounts”, including “local device admins, user portal accounts, and accounts used for remote access.” The information allowed the hackers in Sichuan Silence to enter the networks on the victims’ computers and find other confidential information.
Taking confidential information was only part of the Sichuan Silence intrusion. The hackers also deployed Ragnarok ransomware to victim devices that encrypted files when a victim rebooted the firewall to fix the problems they were having. When Sophos patched the firewalls on April 24, 2024, Sichuan Silence tried to move the ransomware deployment earlier in the process, damaging the victim’s computer before the reboot could happen. Fortunately, the Sophos patch prevented the second ransomware ploy from working.
Guan Tianfeng, possibly working with others, achieved this operation with SQL injection, a common hacking technique that damages databases, and by registering domains that appeared to be related to Sophos (sophosfirewallupdate.com and 9sg.me) to an IP address resolving to China. Though Sophos first learned about the attack in April, Guan likely started testing the exploit in February of 2020, before stopping its development in May 2020.
This hack was a massive security concern all over the world, as the exploit reached about 81,000 devices according to the indictment. In the US, 23,000 firewalls were targeted, including 36 protecting critical infrastructure. The FBI first asked for any information on the hackers behind the incident on November 1st, 2024. A press release from the Treasury Department’s Office of Foreign Assets Control (OFAC) underscored the potential danger of the situation: “One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.”
Guan is now featured on the FBI’s most wanted list, for conspiracy to commit computer fraud and conspiracy to commit wire fraud. The Rewards For Justice Program is offering up to $10 million for information on Guan or other Sichuan Silence associates. Guan is a recognized security researcher who has even competed at cybersecurity tournaments on behalf of the company, so it may not be too long before some information emerges. Even before the sanctions, Sichuan Silence has been scrutinized for spreading disinformation and working with shady companies.
With the recent Salt Typhoon hack, China-based cybercrimes are now being examined even closer for government backing. Sichuan Silence purportedly gives clients the tools to hack into network routers (as seen in the Volt Typhoon campaign), and is part of a club of Chinese security companies that offers hacking services to local and national government organizations. The OFAC press release describes the full list of services “computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services” and describes the company as a “Chengdu-based cybersecurity government contractor whose core clients are PRC intelligence services.”
Chinese officials insist the group acted independently of the government. In response to the sanctions, Mao Ning, the Chinese Ministry of Foreign Affairs spokesperson said they “urge the US to stop using cybersecurity issues to smear and vilify China, and stop imposing illicit unilateral sanctions.” Lin Jian, a Foreign Ministry spokesperson said earlier that their government has “no interest in interfering in other countries’ internal affairs through cyberspace and oppose[s] spreading China-related disinformation out of political agenda.”
In any case, it doesn’t seem like the US will lower its guard anytime soon. Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence said the treasury “as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”