US sanctions Chinese firm for hacking firewalls in ransomware attacks

The U.S. Treasury Department has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020.

According to the Department's Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity government contractor providing products and services to core clients like China's intelligence services.

The company's services include computer network exploitation, brute-force password cracking, email monitoring, and public sentiment suppression.

OFAC says the zero-day used in the April 2020 campaign was discovered by security researcher and Sichuan Silence employee Guan Tianfeng (also known as GbigMao) in an unnamed firewall product.

"Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide," a press release published today revealed.

"The purpose of the exploit was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims' systems with the Ragnarok ransomware variant."

Out of all the targeted devices, over 23,000 compromised firewalls were in the United States, and 36 were protecting the networks of U.S. critical infrastructure companies.

OFAC says that one of the victims was a U.S. energy company involved in drilling operations, and the attack could have led to significant loss of human life if the ransomware attacks had not been thwarted.

On Tuesday, the Department of Justice (DOJ) also unsealed an indictment on Guan, and the U.S. State Department announced a reward offer of up to $10 million for information about Sichuan Silence or Guan through its Rewards for Justice program.

Sophos XG firewall zero-day exploitation

The Department of State confirmed that the April 2020 Ragnarok ransomware campaign exploited a zero-day SQL injection vulnerability in Sophos XG firewalls.

"In 2020, Chinese national Guan Tianfeng and other employees of Sichuan Silence developed and tested intrusion techniques prior to deploying malicious software that allowed them to exploit a zero-day vulnerability in certain firewalls sold by U.K.-based cybersecurity firm Sophos Ltd," the State Department says.

"They deployed malware worldwide, permitting access to certain Sophos firewalls without authorization, causing damage to them, and allowing them to retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls."

The attackers initially used zero-day exploits to obtain remote code execution on Sophos XG firewalls and installed ELF binaries and scripts part of a malicious toolkit known as Asnarök Trojan.

After Sophos detected the attacks, patched the devices, and. removed the malicious scripts using a hotfix. However, the threat actors activated a 'dead man switch' that triggered a Ragnarok ransomware attack on Windows machines on the victims' networks.

As a result of today's sanctions, U.S. organizations and citizens are prohibited from engaging in transactions with Guan and Sichuan Silence. Also, any U.S.-based assets tied to them will be frozen, and U.S. financial institutions or foreign entities transacting with them will also expose themselves to penalties.

In November 2021, Meta dismantled two networks of 524 Facebook and 86 Instagram accounts linked to Sichuan Silence. Meta said at the time that the accounts were used to target English speakers in the US and the UK, as well as Chinese-speaking audiences in Taiwan, Hong Kong, and Tibet in a COVID disinformation campaign.