The U.S. government has unsealed charges against Guan Tianfeng, a Chinese national, for allegedly breaking into 81,000 firewall devices globally in 2020. Guan, who worked at Sichuan Silence Information Technology Company, Limited, has been charged with conspiracy to commit computer fraud and wire fraud. The FBI stated that Guan developed and tested a zero-day security vulnerability used to conduct the attacks.
The exploit infiltrated approximately 81,000 firewalls, with more than 23,000 of them located in the United States. Among these, 36 firewalls were protecting U.S. critical infrastructure companies’ systems. It was revealed that Sophos had received a bug bounty report about the flaw in April 2020 from researchers associated with Sichuan Silence’s Double Helix Research Institute.
One day after the report, the vulnerability was exploited in real-world attacks using the Asnarök trojan, which stole usernames and passwords.
Indictment of Chinese hacker détailed
The U.S. Department of Justice stated that Guan and his co-conspirators designed the malware to steal information from firewalls.
They also registered and used domains designed to look like they were controlled by relevant entities to better hide their activity. Concurrent with the indictment, the U.S. Treasury Department’s Office of Foreign Assets Control has imposed sanctions against Sichuan Silence and Guan. Sichuan Silence has been assessed as a cybersecurity government contractor providing services to Chinese intelligence agencies.
The Department of State has offered rewards of up to $10 million for information about Sichuan Silence, Guan, or other individuals participating in cyberattacks against U.S. critical infrastructure entities under the direction of a foreign government. Ross McKerchar, chief information security officer at Sophos, said in a statement, “The scale and persistence of Chinese nation-state adversaries pose a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses. Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement.”