{"id":1183,"date":"2024-12-11T03:26:43","date_gmt":"2024-12-11T03:26:43","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1183"},"modified":"2024-12-11T03:26:43","modified_gmt":"2024-12-11T03:26:43","slug":"us-sanctions-chinese-cybersecurity-firm-over-global-malware-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1183","title":{"rendered":"US sanctions Chinese cybersecurity firm over global malware campaign"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The US government has imposed sanctions on Chinese cybersecurity firm Sichuan Silence Information Technology and one of its employees, Guan Tianfeng, for their alleged involvement in a 2020 global cyberattack that exploited <a href=\"https:\/\/www.csoonline.com\/article\/565704\/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html\">zero day<\/a> vulnerabilities in firewalls.<\/p>\n<p>The actions were announced by the US Department of the Treasury and the Department of Justice (DOJ), which also unsealed an indictment against Guan.<\/p>\n<p>The cyberattacks reportedly targeted tens of thousands of devices worldwide, compromising over 80,000 systems, including those safeguarding critical infrastructure in the United States.<\/p>\n<p>\u201cToday\u2019s action underscores our commitment to exposing these malicious cyber activities \u2014 many of which pose significant risks to our communities and our citizens \u2014 and to holding the actors behind them accountable for their schemes,\u201d Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy2742\">said in a statement<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">Details of the attack<\/h2>\n<p>The DOJ stated that the attackers exploited a zero day vulnerability in Sophos firewall products to deploy malware capable of stealing credentials and installing ransomware.<\/p>\n<p>\u201cThe malware that exploited the vulnerability discovered by Guan was designed to steal information from infected computers and to encrypt files on them if a victim attempted to remediate the infection,\u201d <a href=\"https:\/\/www.justice.gov\/opa\/pr\/china-based-hacker-charged-conspiring-develop-and-deploy-malware-exploited-tens-thousands\">the DOJ said in a statement<\/a>.<\/p>\n<p>According to the indictment, in 2020, Guan and his co-conspirators allegedly developed, tested, and deployed malware that exploited a zero day vulnerability in approximately 81,000 Sophos firewalls worldwide, including those within organizations in the Northern District of Indiana.<\/p>\n<p>This vulnerability, later identified as CVE-2020-12271, was used to compromise the targeted systems.<\/p>\n<p>The malware was specifically designed to extract sensitive information from the firewalls. To obscure their operations, Guan and his co-conspirators reportedly registered and utilized domains that mimicked Sophos\u2019 official sites, such as <em>sophosfirewallupdate[dot]com.<\/em><\/p>\n<p>Sophos discovered the breach and acted swiftly, mitigating the vulnerability and securing customers\u2019 firewalls within two days. In response, the attackers allegedly modified their malware to include a failsafe: ransomware encryption software designed to activate if victims attempted to remove the malicious code.<\/p>\n<p>The attacks reportedly impacted over 23,000 devices in the United States, and more than 50,000 globally. Victims included organizations across the energy, healthcare, and financial sectors.<\/p>\n<p>Sophos said in one of its reports that advanced persistent threat groups based in China had been targeting its networking appliances for over five years, noting that these groups displayed an \u201cunusually deep understanding of the internal architecture of the device firmware.<\/p>\n<p>The malware, identified as a precursor to the Ragnarok ransomware, sought to encrypt files and demand payment for their release.<\/p>\n<h2 class=\"wp-block-heading\">A closer look at Sichuan Silence<\/h2>\n<p>Based in Chengdu, China, Sichuan Silence is a cybersecurity contractor serving key People\u2019s Republic of China (PRC) intelligence services. The company offers services such as email monitoring, network exploitation, and password-cracking tools, according to court documents.<\/p>\n<p>\u201cSichuan Silence\u2019s pre-positioning device played a pivotal role in enabling Guan\u2019s malware deployment,\u201d the DOJ indictment revealed. The company\u2019s ties to the PRC government further highlighted concerns over the state-sponsored nature of cyber threats targeting US interests.<\/p>\n<p>Guan\u2019s activities were not limited to corporate espionage. Under the alias \u201cGbigMao,\u201d he actively participated in cybersecurity tournaments and shared zero-day exploits on vulnerability forums, the DOJ said.<\/p>\n<h2 class=\"wp-block-heading\">Sanctions and criminal charges<\/h2>\n<p>The Treasury Department\u2019s Office of Foreign Assets Control (OFAC) announced sanctions against Sichuan Silence and Guan under Executive Order 13694, which targets malicious cyber actors.<\/p>\n<p>\u201cThese sanctions are part of a broader effort to hold perpetrators of cyber-enabled attacks accountable,\u201d the department said in the statement.<\/p>\n<p>As a result, all of Guan\u2019s US-based assets, and those of the company, have been frozen, and US entities are prohibited from conducting transactions with them.<\/p>\n<p>Meanwhile, the DOJ unsealed charges against Guan for conspiracy to commit computer fraud, wire fraud, and identity theft.<\/p>\n<p>Additionally, the US Department of State has announced a reward of $10 million for any information on Sichuan or Guan.<\/p>\n<p>\u201cThis indictment underscores the growing threat posed by cyberattacks and our commitment to pursuing those who target US infrastructure,\u201d Assistant Attorney General Matthew G. Olsen of the National Security Division said in the statement.<\/p>\n<h2 class=\"wp-block-heading\">Global implications<\/h2>\n<p>The case has sparked global concern over the potential misuse of cybersecurity research and tools. Although Sichuan Silence is privately owned, the US alleges links between its activities and Chinese intelligence agencies.<\/p>\n<p>The exploitation of zero day vulnerabilities underscores the increasing sophistication of cyberattacks. This is another example of how zero day vulnerabilities are weaponized to compromise sensitive systems.<\/p>\n<p>The DOJ credited private sector partners for their assistance in identifying and mitigating the malware.<\/p>\n<p>Sophos, the company whose firewalls were exploited, issued patches in April 2020 and has since worked to bolster its security measures.<\/p>\n<h2 class=\"wp-block-heading\">Broader cybersecurity concerns<\/h2>\n<p>The US government emphasized the importance of international cooperation in addressing cybersecurity threats.<\/p>\n<p>\u201cCyberattacks of this nature not only harm US businesses and infrastructure, but also undermine the safety and security of systems worldwide,\u201d added the Treasury Department in its statement.<\/p>\n<p>The incident highlights the need for governments, companies, and cybersecurity professionals to collaborate in identifying and mitigating risks. With the growing threat of state-linked cyber activities, experts urge heightened vigilance to protect critical infrastructure and sensitive data.<\/p>\n<p>This development is seen as part of the US\u2019s broader effort to combat cyber-enabled attacks targeting global infrastructure and sensitive systems. The sanctions and charges signal a stern warning to entities exploiting digital vulnerabilities for malicious purposes.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US government has imposed sanctions on Chinese cybersecurity firm Sichuan Silence Information Technology and one of its employees, Guan Tianfeng, for their alleged involvement in a 2020 global cyberattack that exploited zero day vulnerabilities in firewalls. The actions were announced by the US Department of the Treasury and the Department of Justice (DOJ), which [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1168,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1183"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1183"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1168"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}