The U.S. has sanctioned Sichuan Silence, a Chinese cybersecurity firm involved in ransomware attacks targeting critical infrastructure in 2020. One of its employees, Guan Tianfeng, has also been charged individually.
Guan, a security researcher, discovered a zero-day vulnerability in a firewall product developed by U.K.-based security firm Sophos. He exploited the vulnerability, designated CVE 2020-12271, using a SQL injection attack that retrieved and remotely executed a script from a malicious server. Guan and his co-conspirators had registered legitimate server domains, such as sophosfirewallupdate.com.
This script, part of the malicious Asnarök Trojan toolkit, was initially designed to steal data like usernames and passwords from the firewalls and the computers behind them and send them to a Chinese IP address. If the victim attempted to reboot their device, Ragnarok ransomware would automatically install, disabling antivirus software and encrypting every Windows device on the network.
However, within two days of the attack, Sophos deployed a patch to impacted firewalls that did not require a reboot and removed all malicious scripts. Guan then modified the malware to install ransomware when it detected Sophos’ mitigation, but the patch prevented this from working.
According to a now-unsealed indictment on Guan, his conspirators viewed information about the Sophos patch on the company’s website in May 2020 before testing an updated version of its exploit a few days later.
The Treasury has sanctioned both Sichuan Silence and Guan Tianfeng, meaning all their U.S.-based assets will be blocked, and organizations and individuals will be prohibited from engaging in transactions of funds, goods, or services with them.
“Today’s action underscores our commitment to exposing these malicious cyber activities—many of which pose a significant risk to our communities and our citizens—and to holding the actors behind them accountable for their schemes,” Bradley T. Smith, acting undersecretary of the Treasury for terrorism and financial intelligence, said in a press release.
Rewards of up to $10 million are available for information about Guan or other state-sponsored cyber attackers. Guan is believed to reside in Sichuan Province, China, though he may also travel to Bangkok, Thailand.
Tens of thousands of firewalls used by critical infrastructure companies were compromised
Between April 22-25, 2020, around 81,000 Sophos XG firewalls used by global companies were compromised. Over 23,000 of these firewalls were used by U.S. organizations, and 36 were used for critical infrastructure.
Compromising critical infrastructure — such as utilities, transport, telecommunications, and data centres — can lead to widespread disruption, making it a prime target for cyberattacks. A recent report from Malwarebytes found that the services industry is the worst affected by ransomware, accounting for almost a quarter of global attacks.
SEE: 80% of Critical National Infrastructure Companies Experienced an Email Security Breach in Last Year
One victim was a U.S. energy company drilling for oil when the Sichuan Silence ransomware was deployed. The Department of the Treasury’s Office of Foreign Assets Control says that human life could have been lost if the attack had caused oil rigs to malfunction.
Who is Sichuan Silence?
Sichuan Silence is a Chengdu-based cybersecurity contractor primarily hired by Chinese intelligence services. China has denied hacking charges made by the U.S. in the past but has been consistently linked with cyber attacks in the U.S.
This month, the Federal Bureau of Investigations and Cybersecurity and Infrastructure Security Agency identified that China-affiliated threat actors had “compromised networks at multiple telecommunications companies.”
SEE: China-Linked Attack Hits 260,000 Devices, FBI Confirms
According to the Treasury, Sichuan Silence provides clients tools and services for hacking networks, monitoring emails, brute-force password cracking, and exploiting network routers. The organization’s website also states it has products that can scan overseas networks for intelligence information.
A pre-positioning device — a tool that installs malicious code in a target network to set up a future cyber attack — was used by Guan in April 2020 and was found to be owned by Sichuan Silence. The attacker also competed on behalf of his company in cybersecurity tournaments and posted zero-day exploits he’d discovered on forums using the handle “GbigMao.”
In November 2021, Meta reported dismantling a coordinated disinformation campaign linked to Sichuan Silence that falsely claimed the U.S. was interfering with World Health Organization investigations into COVID-19 operations. The disinformation was spread by hundreds of fake Facebook and Instagram accounts and amplified by Chinese state media and government-linked organizations.
“The scale and persistence of Chinese nation-state adversaries pose a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses as noted in Sophos’ Pacific Rim investigation report,” Ross McKerchar, CISO at Sophos, told TechRepublic.
“Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement.
“We can’t expect these groups to slow down if we don’t put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software.”
Critical infrastructure attacks are on the rise
Attacks on critical infrastructure are ballooning in popularity. At the end of 2023, the FBI uncovered a wide-ranging botnet attack by the Chinese hacking group Volt Typhoon, created from hundreds of privately owned routers across the U.S. and its overseas territories.
The threat actors targeted and compromised the IT environments of U.S. communications, energy, transportation, and water infrastructure. Volt Typhoon has conducted hundreds of attacks on critical infrastructure since it became active in mid-2021.
SEE: Why critical infrastructure is vulnerable to cyberattacks
Other notable attacks on critical infrastructure from recent years include the 2021 Colonial Pipeline incident. The company — responsible for 45% of the East Coast’s fuel, including gas, heating oil, and other forms of petroleum — discovered it was hit by a ransomware attack and was forced to shut down some of its systems, stopping all pipeline operations temporarily.
Sandworm and affiliates of the Black Basta ransomware-as-a-service organization have also targeted critical infrastructure worldwide. Both firms have links to Russia.
In May, the U.S. CISA and several international cyber authorities warned of pro-Russia hacktivist attacks targeting providers of operational technology often used in critical industries. The advisory highlighted “continued malicious cyber activity” against water, energy, food, and agriculture businesses between 2022 and April 2024.
In addition to strict uptime requirements, OT organizations managing critical infrastructure are known for relying on legacy devices, as replacing technology while maintaining normal operations is both challenging and costly. This makes them both accessible and likely to pay a ransom, as downtime will have severe consequences.