US Sanctions Chinese Cybersecurity Firm

U.S. Sanctions Chinese Cybersecurity Firm Over Sophos Firewall Exploitation

The United States government has imposed sanctions on a Chinese cybersecurity company, Sichuan Silence, and one of its employees, Guan Tianfeng. These actions stem from the exploitation of a previously unknown vulnerability – a zero-day – found in Sophos firewalls.

Targeting of U.S. Organizations

According to a statement released by the U.S. Treasury Department on Tuesday, Guan Tianfeng leveraged this vulnerability to breach approximately 81,000 firewalls in April of 2020. This widespread hacking campaign, which Sophos publicly detailed in November, resulted in the compromise of over 23,000 firewalls located within the United States.

The affected systems included those belonging to a government agency, as well as numerous companies operating within critical infrastructure sectors.

Potential for Severe Impact

Among the targeted entities was an energy company engaged in drilling operations. The Treasury Department highlighted that a successful attack could have potentially resulted in “significant loss in human life,” underscoring the gravity of the situation.

Data Theft and Ransomware Attempts

The primary objective of the exploit was to facilitate the theft of sensitive data from the compromised firewalls. However, Guan Tianfeng also reportedly attempted to deploy the Ragnarok ransomware variant onto the affected systems.

Investigations revealed that the attacker sought to not only access data but also to potentially encrypt systems for ransom. This dual-pronged approach demonstrates a sophisticated and malicious intent.

Sophos Vulnerability Details

The vulnerability was a zero-day, meaning it was previously unknown to Sophos and had no available patch.
Approximately 81,000 firewalls were compromised globally in April 2020.
Over 23,000 of these compromised firewalls were located within the United States.
Critical infrastructure and a government agency were among the victims.