U.S. Charges Chinese Hacker for Attacking 81,000 Firewalls
Title: U.S. Charges Chinese National in Major Cyber Attack on Sophos Firewalls
Introduction
In a significant development in cybersecurity, the U.S. government has unsealed charges against a Chinese national for allegedly infiltrating thousands of Sophos firewall devices worldwide in 2020. Guan Tianfeng, also known as gbigmao and gxiaomao, has been implicated in a conspiracy to commit computer fraud and wire fraud, highlighting the ongoing threat of cyber attacks on critical infrastructure.
Charges and Allegations Against Guan Tianfeng
Guan Tianfeng, who reportedly worked for Sichuan Silence Information Technology Company, Limited, is accused of developing and testing a zero-day vulnerability that enabled attacks on Sophos firewalls. The FBI stated, "Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, causing damage, and exfiltrating data from these devices." This vulnerability, identified as CVE-2020-12271, had a CVSS score of 9.8, indicating it posed a severe risk.
Details of the Cyber Attack
The exploitation of the vulnerability affected approximately 81,000 Sophos firewalls globally. In a series of reports released in late October 2024, Sophos revealed that it received a suspicious bug bounty report regarding the flaw shortly before its exploitation in real-world attacks. This incident led to the theft of sensitive data using the Asnarök trojan, including usernames and passwords.
Subsequent Exploits and Vulnerabilities
In March 2022, Sophos received another report from an anonymous researcher in China that detailed two additional critical vulnerabilities:
- CVE-2022-1040 (CVSS score: 9.8) – An authentication bypass flaw allowing remote code execution.
- CVE-2022-1292 (CVSS score: 9.8) – A command injection vulnerability in OpenSSL.
These vulnerabilities underscore the persistent threats faced by organizations relying on Sophos firewalls.
Malware Development and Tactics Used
According to the U.S. Department of Justice, Guan and his collaborators designed malware specifically to extract information from compromised firewalls. They took measures to disguise their activities by registering domains that appeared to be associated with Sophos, such as sophosfirewallupdate[.]com. When Sophos initiated countermeasures, the attackers modified their malware and deployed a Ragnarok ransomware variant.
Consequences and Sanctions
In conjunction with the indictment, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions against Sichuan Silence and Guan. The Treasury highlighted that more than 23,000 of the compromised firewalls were in the United States, with 36 protecting U.S. critical infrastructure companies.
Government Response and Rewards for Information
The Department of State is offering rewards of up to $10 million for information related to Guan, Sichuan Silence, or others involved in cyber attacks targeting U.S. infrastructure. The ongoing determination of such groups necessitates a collective response from the tech industry and law enforcement to enhance cybersecurity measures.
Conclusion
The charges against Guan Tianfeng exemplify the increasing threat of advanced persistent threats in the cybersecurity landscape. Organizations must remain vigilant and proactive in patching vulnerabilities and strengthening their defenses against such attacks. Share your thoughts on this incident or explore related articles to stay informed about the evolving cyber threat landscape.
Stay Connected
For more exclusive content on cybersecurity and related topics, follow us on Twitter and LinkedIn.