On Tuesday, the US government dropped charges against a Chinese national for allegedly hacking thousands of Sophos firewalls around the world in 2020.
Guan Tianfeng (aka gbigmao and gxiaomao), who is said to have worked for Sichuan Silence Information Technology Company, Limited, was charged with conspiracy to commit computer fraud and conspiracy to commit electronic network fraud. Guan was accused of developing and testing a zero-day vulnerability that was used to launch attacks against Sophos firewalls.
“Guan Tianfeng is wanted for his alleged role in a conspiracy to gain unauthorized access to Sophos firewalls, to damage them, and to obtain and steal data from both the firewalls themselves and the computers behind those firewalls,” said the Federal US Bureau of Investigation (FBI). said. “The exploit was used to penetrate approximately 81,000 firewalls.”
The zero-day vulnerability in question CVE-2020-12271 (CVSS Score: 9.8), a serious SQL injection flaw that could be exploited by an attacker to achieve remote code execution on vulnerable Sophos firewalls.
In a series of reports published in late October 2024 under the title Pacific RimSophos revealed that it received a “very useful but suspicious” bug report on the flaw in April 2020 from researchers affiliated with the Sichuan Silence Double Helix Research Institute, a day after it was used in actual attacks to steal sensitive data using the Asnarök Trojan, including usernames and passwords.
The second time this happened was in March 2022, when the company received another report from an anonymous Chinese researcher that described two separate flaws: CVE-2022-1040 (CVSS score: 9.8), a critical authentication bypass flaw in Sophos firewalls that allows a remote attacker to execute arbitrary code, and CVE-2022-1292 (CVSS score: 9.8), command input error in OpenSSL. The wild CVE-2022-1040 exploit has been nicknamed Personal panda.
“Guan and his associates developed malicious software to steal information from firewalls,” the US Department of Justice said. said. “To better conceal their activities, Guan and his associates registered and used domains created to appear to be controlled by Sophos, such as sophosfirewallupdate(.)com.”
The threat actors then moved on to modify their malware as Sophos began to countermeasure by deploying Ragnarok variant of the ransomware in case victims tried to remove artifacts from infected Windows systems. Those attempts were unsuccessful, the Justice Department said.
Concurrent with the indictment, the US Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on Sichuan Silence and Guan, saying many of the victims were US critical infrastructure companies.
Sichuan silence was rated as a Based in Chengdu A government cybersecurity contractor that offers its services to China’s intelligence agencies, providing them with capabilities for network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression. It is also said to provide customers with equipment designed to test and exploit target network routers.
In December 2021 Meta said it removed 524 Facebook accounts, 20 pages, four groups, and 86 Instagram accounts associated with Sichuan Silence that targeted English- and Chinese-speaking audiences with misinformation related to COVID-19.
“More than 23,000 compromised firewalls were located in the United States. Of these firewalls, 36 protected the systems of critical US infrastructure companies,” the Treasury Department said in a statement. said. “If any of these victims failed to patch their systems to mitigate the exploit, or cybersecurity measures failed to detect and quickly remediate the intrusion, the potential impact of a Ragnarok ransomware attack could have resulted in serious injury or death. “
Separately, the State Department has announced rewards of up to $10 million for information about Sichuan Silence, Guan, or others who may be involved in foreign government-sponsored cyberattacks on U.S. critical infrastructure.
“The scale and persistence of Chinese nation-state adversaries pose a significant threat to critical infrastructure as well as unsuspecting everyday businesses,” said Ross McKercher, director of information security at Sophos, in a statement shared with The Hacker News.
“Their relentless determination redefines what it means to be a cutting-edge persistent threat; disrupting this shift requires individual and collective action across the industry, including with law enforcement. We can’t expect these groups to slow down unless we put in the time and effort to outpace their innovations, and that includes early transparency about vulnerabilities and a commitment to building stronger software.”
