A federal indictment has charged Chinese national Guan Tianfeng with exploiting a zero-day vulnerability in Sophos firewalls, affecting approximately 81,000 devices worldwide in 2020. The U.S. Department of Justice (DoJ) alleges that Guan conspired to deploy malware that compromised sensitive data and infiltrated critical infrastructure.
Chinese national indicted for exploiting Sophos firewall vulnerabilities
The vulnerability, classified as CVE-2020-12271 and rated with a high CVSS score of 9.8, allowed unauthorized access through SQL injection flaws on Sophos firewall devices. Notably, more than 23,000 of the compromised firewalls were located in the United States, with 36 serving U.S. critical infrastructure systems. Guan, also known by aliases gbigmao and gxiaomao, was employed by Sichuan Silence Information Technology Co., Ltd, a company believed to have ties to the Chinese government.
According to the indictment, Guan and his co-conspirators designed malware to exfiltrate data and disrupt firewall functionality. The DoJ stated, “Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data.” Investigations are ongoing, and the FBI has sought public assistance in identifying others involved in the attacks.
Guan’s activities reportedly included exploiting vulnerabilities to steal information and subsequently deploying a ransomware variant, the Ragnarok malware, aimed at encrypting files of victims attempting to remediate the infections. The intent to hide their activities involved registering domains that mimicked Sophos, such as sophosfirewallupdate.com.
In 2021, Sophos had already highlighted the sophistication of the cyber threats they faced, indicating that numerous incidents were perpetrated by advanced persistent threat (APT) groups with significant knowledge of Sophos devices. Following the incidents, Sophos had implemented rapid countermeasures that helped mitigate further exploits. “If any of these victims had failed to patch their systems… the potential impact… could have resulted in serious injury or the loss of human life,” stated the U.S. Treasury Department.
In responding to these cyber threats, the U.S. government has imposed sanctions against both Guan and Sichuan Silence, emphasizing that such cyber activities pose significant risks to both national security and public safety. The indictment reflects a broader effort to confront challenges posed by foreign state-sponsored cyber actors, particularly those based in China.
The U.S. Department of State has also offered rewards of up to $10 million for information leading to identifying individuals engaged in malicious cyber activities against U.S. critical infrastructure. As investigations continue, officials emphasize the need for collaborative efforts in cybersecurity to combat the persistent threat from foreign actors.
Featured image credit: Compare Fibre/Unsplash