The cybersecurity firm Sichuan Silence and one of its employees, Guan Tianfeng, have been sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their involvement in the April 2020 hack of tens of thousands of firewalls across the globe.
Sichuan Silence is a Chengdu-based cybersecurity government contractor whose primary clients are PRC intelligence services.
For these customers, Sichuan Silence offers brute-force password cracking, email monitoring, computer network exploitation, and public sentiment suppression products and services.
Guan, a Chinese national, was working as a security researcher at Sichuan Silence.
Guan participated in cybersecurity events on behalf of Sichuan Silence and shared newly found zero-day exploits on vulnerability and exploit forums, often going by the alias GbigMao.
According to the reports, Sichuan Silence and Guan Tianfeng had compromised about 81,000 firewalls belonging to thousands of companies throughout the globe with malware in April 2020.
The United States accounted for almost 23,000 of the breached firewalls. Particularly, thirty-six of these firewalls were safeguarding the systems of critical infrastructure companies in the United States.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
A Zero-day Exploit In A Firewall Product
A zero-day SQL injection vulnerability identified as CVE-2020-12271 was found in Sophos XG firewall product by Guan Tianfeng.
The exploit’s goal was to steal information, including passwords and usernames, from the affected firewalls. Guan made an effort to install the Ragnarok ransomware VARIANT on the victims’ systems.
If a victim tries to fix the compromise, this ransomware encrypts the computers on their network and turns off antivirus software.
The potential consequences of the Ragnarok ransomware attack may have included severe harm or even death if any of these victims had neglected to patch their systems to mitigate the exploit or if cybersecurity measures had not detected and promptly fixed the breach.
The breach affected a U.S. energy business that was actively engaged in drilling activities. Oil rigs might have malfunctioned, and a considerable number of lives could have been lost if this hack had gone undetected and the ransomware attack had not been stopped.
According to OFAC, Sichuan Silence and Guan are responsible for having engaged in cyber-enabled activities that cause a significant threat to the United States’ foreign policy, national security, economic health, or financial stability, and that have the intent or effect of seriously impairing the ability of a computer or network of computers that support one or more entities in a critical infrastructure sector.
Bounty Announced
“As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or the control of U.S. persons are blocked and must be reported to OFAC”, reads the Press Release.
“In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked”.
Financial institutions and other individuals may also be susceptible to penalties or enforcement action if they participate in specific transactions or activities with the sanctioned businesses and individuals.
Guan was also charged by the Department of Justice (DOJ) for the same offense. A Rewards for Justice incentive offer of up to $10 million for information regarding Guan or Sichuan Silence was also announced by the U.S. Department of State.
“Today’s action underscores our commitment to exposing these malicious cyber activities—many of which pose significant risk to our communities and our citizens—and to holding the actors behind them accountable for their schemes,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
“Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free