US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

The US Departments of Treasury and Justice have named a Chinese business and one of its employees as the actors behind the 2020 exploit of a zero-day flaw in Sophos firewalls

The attack was made possible by a critical-rated SQL injection flaw known as CVE-2020-12271 that was exploited in the wild in April 2020. Sophos quickly published a hotfix to harden its XG firewalls and quash the zero-day attack.

But the DoJ on Tuesday asserted that 81,000 firewalls were nonetheless compromised – including at least one used by an agency of the United States government.

The DoJ also named Guan Tianfeng as a co-conspirator in the attack, along with fellow employees at an outfit awesomely named Sichuan Silence Information Technology Co. Ltd.

Treasury identified Guan as a security researcher at Sichuan Silence at the time of the compromise. "Guan competed on behalf of Sichuan Silence in cyber security tournaments and posted recently discovered zero-day exploits on vulnerability and exploit forums, including under his moniker GbigMao," Treasury claimed, adding that it considers him "responsible for the April 2020 firewall compromise."

The Department also alleged that Sichuan Silence is a "cyber security government contractor whose core clients are PRC intelligence services." The biz apparently offers those clients services including "computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services."

An indictment [PDF] claims that Guan and his employer acquired Sophos firewalls to test them for vulns and later registered the domain sophosfirewallupdate.com.

That domain name was chosen as it appears legitimate – but it was allegedly used to deliver malware to Sophos firewalls after a successful SQL injection attack. That payload stole info from the Sophos firewalls and sent it to a Chinese IP address.

The document also claims that Sichuan Silence tried to modify its malware to deliver the Ragnarok ransomware when it detected installation of Sophos's patch. That modification failed.

• China's Salt Typhoon recorded top American officials' calls, says White House
• How Chinese insiders are stealing data scooped up by President Xi's national surveillance system
• Beijing wants Chinese outfits to seek alternatives to US silicon
• Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'

Guan is thought to reside in China, and now that he's been indicted is unlikely to leave or travel to Thailand – a country the FBI believes he occasionally visits.

The Department of State announced rewards today of up to $10 million for information leading to the identification or location of Guan or any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.

Even if that offer doesn't yield results, Treasury has sanctioned Guan and Sichuan Silence – meaning it's illegal for any US business to work with them, and any assets they own in the US are blocked and must be reported to the Office of Foreign Assets Control (OFAC).

All the agencies mentioned above assert that the work to identify Guan and Sichuan Silence shows the US will not tolerate those who mess with critical infrastructure – and let that be a lesson to China.

Sophos CISO Ross McKerchar welcomed the agencies' actions, but noted China isn't backing off.

In a canned statement, he argued "We can't expect these groups to slow down, if we don't put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software." ®