The U.S. government on Tuesday unsealed charges against a Chinese national for allegedly breaking into thousands of Sophos firewall devices globally in 2020.
Guan Tianfeng (aka gbigmao and gxiaomao), who is said to have worked at Sichuan Silence Information Technology Company, Limited, has been charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Guan has been accused of developing and testing a zero-day security vulnerability used to conduct the attacks against Sophos firewalls.
“Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls,” the U.S. Federal Bureau of Investigation (FBI) said. “The exploit was used to infiltrate approximately 81,000 firewalls.”
The then-zero-day vulnerability in question is CVE-2020-12271 (CVSS score: 9.8), a severe SQL injection flaw that could be exploited by a malicious actor to achieve remote code execution on susceptible Sophos firewalls.
In a series of reports published in late October 2024 under the name Pacific Rim, Sophos revealed that it had received a “simultaneously highly helpful yet suspicious” bug bounty report about the flaw in April 2020 from researchers associated with Sichuan Silence’s Double Helix Research Institute, one day after which it was exploited in real-world attacks to steal sensitive data using the Asnarök trojan, including usernames and passwords.
It happened a second time in March 2022 when the company received yet another report from an anonymous China-based researcher detailing two separate flaws: CVE-2022-1040 (CVSS score: 9.8), a critical authentication bypass issue in Sophos firewalls that allows a remote attacker to execute arbitrary code, and CVE-2022-1292 (CVSS score: 9.8), a command injection bug in OpenSSL The in-the-wild exploitation of CVE-2022-1040 has been tied to two different activity clusters tracked as Personal Panda and TStark.
Sophos told The Hacker News that exactly who the researcher is and their attribution to a specific entity is unknown at this stage. It’s also worth pointing out that both Personal Panda and TStark (which overlaps with Evil Eye), despite exhibiting different tradecraft and indicators of compromise (IoCs), targeted the same Tibetan-related organization 18 months apart.
“Guan and his co-conspirators designed the malware to steal information from firewalls,” the U.S. Department of Justice (DoJ) said. “To better hide their activity, Guan and his co-conspirators registered and used domains designed to look like they were controlled by Sophos, such as sophosfirewallupdate[.]com.”
The threat actors then moved to modify their malware as Sophos began to enact countermeasures, deploying a Ragnarok ransomware variant in the event victims attempted to remove the artifacts from infected Windows systems. These efforts were unsuccessful, the DoJ said.
Concurrent with the indictment, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions against Sichuan Silence and Guan, stating many of the victims were U.S. critical infrastructure companies.
Sichuan Silence has been assessed to be a Chengdu-based cybersecurity government contractor that offers its services to Chinese intelligence agencies, equipping them with capabilities to conduct network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression. It’s also said to provide clients with equipment designed to probe and exploit target network routers.
In December 2021, Meta said it removed 524 Facebook accounts, 20 Pages, four Groups, and 86 accounts on Instagram associated with Sichuan Silence that targeted English- and Chinese-speaking audiences with COVID-19 related disinformation.
“More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems,” the Treasury said. “If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life.”
Separately, the Department of State has announced rewards of up to $10 million for information about Sichuan Silence, Guan, or other individuals who may be participating in cyber attacks against U.S. critical infrastructure entities under the direction of a foreign government.
“The scale and persistence of Chinese nation-state adversaries poses a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses,” Ross McKerchar, chief information security officer at Sophos, said in a statement shared with The Hacker News.
“Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement. We can’t expect these groups to slow down, if we don’t put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software.”