A federal court in Hammond, Indiana, unsealed an indictment today charging Guan Tianfeng, a Chinese citizen, for his involvement in a conspiracy to hack indiscriminately into firewall devices worldwide in 2020.
Guan and his co-conspirators worked at the offices of Sichuan Silence Information Technology Co. Ltd. to discover and exploit a previously unknown vulnerability in certain firewalls sold by UK-based Sophos Ltd. – an information technology company that develops and markets cybersecurity products.
The malware that exploited the vulnerability discovered by Guan was designed to steal information from infected computers and to encrypt files on them if a victim attempted to remediate the infection. In total, Guan and his co-conspirators infected approximately 81,000 firewall devices worldwide, including a firewall device used by an agency of the United States.
“The defendant and his co-conspirators exploited a vulnerability in tens of thousands of network security devices, infecting them with malware designed to steal information from victims around the world,” said Deputy Attorney General Lisa Monaco.
“The zero-day vulnerability Guan Tianfeng and his co-conspirators found and exploited affected firewalls owned by businesses across the United States, including in Indiana,” said Special Agent in Charge Herbert J. Stapleton of the FBI Indianapolis Field Office. “If Sophos had not rapidly identified the vulnerability and deployed a comprehensive response, the damage could have been far more severe. Sophos’s efforts combined with the dedication and expertise of our cyber squad formed a powerful partnership resulting in the mitigation of this threat.”
The Conspiracy to Exploit Common Vulnerabilities and Exposures (CVE) 2020-12271
As alleged in the indictment, in 2020, Guan and his co-conspirators developed, tested, and deployed malware that targeted approximately 81,000 Sophos firewalls using a 0-day vulnerability that existed on those devices. The 81,000 Sophos firewalls were located throughout the world, including within victim organizations located in the Northern District of Indiana. The vulnerability was later designated CVE 2020-12271.
Guan and his co-conspirators designed the malware to steal information from firewalls. To hide their activity better, Guan and his co-conspirators registered and used domains designed to look like they were controlled by Sophos, such as sophosfirewallupdate.com. Sophos discovered the intrusion and remediated its customers’ firewalls in approximately two days, which caused the co-conspirators to modify their malware.
As modified, the malware was designed to deploy encryption software from a ransomware variant if the victims attempted to remove the malware. Their encryption efforts did not succeed but demonstrated the conspirators’ disregard for the harm they would cause victims.
According to court documents, Guan worked for Sichuan Silence, a PRC-based private company that has provided services to the PRC Ministry of Public Security, among other PRC organizations. According to Sichuan Silence’s website, it developed a product line that could be used to scan and detect overseas network targets and obtain valuable intelligence information.
In October, Sophos released a number of articles chronicling its separate long-running investigation, “Pacific Rim.” Sophos detailed PRC-based advanced persistent threat groups targeting its networking appliances for over five years, which it described as “unusually knowledgeable about the internal architecture of the device firmware.” One of the attacks described in the Pacific Rim report involved CVE-2020-12271.
Soon after the Sophos announcements in October, the FBI issued a call for information regarding computer intrusions into Sophos edge devices. The FBI continues to solicit information on PRC-sponsored malicious actors targeting edge devices and network security appliances.
The U.S. Department of State also announced rewards today of up to $10 million for information leading to the identification or location of Guan or any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. The U.S. Department of the Treasury’s Office of Foreign Assets Control also announced sanctions on Sichuan Silence and Guan today.
