US sanctions Chinese firm for hacking firewalls in ransomware attacks
4 mins read

US sanctions Chinese firm for hacking firewalls in ransomware attacks

geekfeed0Tagged , , , , , ,

The U.S. Treasury Department has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020.

According to the Department’s Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity government contractor (recently profiled by the Natto Thoughts team) that provides products and services to core clients like China’s intelligence services.

The company’s services include computer network exploitation, brute-force password cracking, email monitoring, and public sentiment suppression.

OFAC says the zero-day used in the April 2020 campaign was discovered by security researcher and Sichuan Silence employee Guan Tianfeng (also known as GbigMao) in an unnamed firewall product.

“Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide,” a press release published today revealed.

“The purpose of the exploit was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the Ragnarok ransomware variant.”

Out of all the targeted devices, over 23,000 compromised firewalls were in the United States, and 36 were protecting the networks of U.S. critical infrastructure companies. OFAC says one of the victims was a U.S. energy company involved in drilling operations, and the attack could have led to significant loss of human life if the ransomware attacks had not been thwarted.

On Tuesday, the Department of Justice (DOJ) also unsealed an indictment on Guan, and the U.S. State Department announced a reward offer of up to $10 million for information about Sichuan Silence or Guan through its Rewards for Justice program.

Sichuan Silence rewards poster (U.S. State Dept.)
Sichuan Silence rewards poster (U.S. State Dept.)

Sophos XG firewall zero-day exploitation

The Department of State and the DOJ confirmed that the April 2020 Ragnarok ransomware campaign exploited a zero-day SQL injection vulnerability (CVE-2020-12271) in Sophos XG firewalls.

“In 2020, Chinese national Guan Tianfeng and other employees of Sichuan Silence developed and tested intrusion techniques prior to deploying malicious software that allowed them to exploit a zero-day vulnerability in certain firewalls sold by U.K.-based cybersecurity firm Sophos Ltd,” the State Department says.

“They deployed malware worldwide, permitting access to certain Sophos firewalls without authorization, causing damage to them, and allowing them to retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls.”

The attackers initially used zero-day exploits to obtain remote code execution on Sophos XG firewalls and installed ELF binaries and scripts part of a malicious toolkit known as Asnarök Trojan.

After Sophos detected the attacks, it patched the devices, and removed the malicious scripts using a hotfix. However, the threat actors activated a ‘dead man switch’ that would have triggered a Ragnarok ransomware attack on Windows machines on the victims’ networks.

“Throughout our five-year offensive operation against interlinked, Chinese nation-state adversaries — an operation we’ve named Pacific Rim — we successfully gathered critical intelligence about their activities. Notably, we were able to link much of the attackers’ exploit research and development to the Sichuan region of China, specifically, the Sichuan Silence Information Technology’s Double Helix Research Institute,” Sophos CISO Ross McKerchar told GeekFeed in an emailed statement.

“In addition, after neutralizing a wave of attacks we named Asnarok, we uncovered links between the attacks and a person who went by the moniker GBigMao. Today, we are pleased that the Department of Justice has unsealed its indictment of Gbigmao, aka Guan Tianfeng, and the Treasury has sanctioned Sichuan Silence. This is a positive step towards disrupting these attackers’ operation.”

As a result of today’s sanctions, U.S. organizations and citizens are prohibited from engaging in transactions with Guan and Sichuan Silence. Also, any U.S.-based assets tied to them will be frozen, and U.S. financial institutions or foreign entities transacting with them will also expose themselves to penalties.

In November 2021, Meta dismantled two networks of 524 Facebook and 86 Instagram accounts linked to Sichuan Silence. Meta said at the time that the accounts were used to target English speakers in the US and the UK, as well as Chinese-speaking audiences in Taiwan, Hong Kong, and Tibet in a COVID disinformation campaign.

Update December 10, 15:07 EST: Added statement from Sophos CISO Ross McKerchar.

Leave a Reply

Your email address will not be published. Required fields are marked *

Website https://geekfeed.net

Related Posts