A Chinese national, Guan Tianfeng, has been accused of involvement in the hacking of 81,000 firewall devices all over the world in 2020. Some of the compromised devices were protecting systems running US critical infrastructure and, had the attacks gone undetected, they could have had potentially deadly consequences. The US Department of State’s Rewards for Justice (RFJ) program has since announced a reward of up to $10 million for information leading to the arrest of Guan and his alleged co-conspirators.
“The defendant and his conspirators compromised tens of thousands of firewalls and then continued to hold at risk these devices, which protect computers in the United States and around the world,” said Assistant Attorney General for National Security Matthew G. Olsen.
From April 22 to April 25, 2020, Guan and co-conspirators allegedly took advantage of a vulnerability in firewalls sold by UK-based information technology company, Sophos, and were able to infect approximately 81,000 firewalls worldwide. According to the US Department of Justice, Guan helped develop and test malware that was designed to take advantage of this vulnerability in order to steal usernames and passwords from firewalls. Guan also reportedly deployed Ragnarok to the victims’ systems; this is a ransomware variant designed to disable antivirus software and encrypt the data on the compromised computers should the victim try and amend the infection.
Attack on US oil rigs could have had fatal consequences
Over 23,000 Of the compromised firewall devices were in the US. Some of the victims were critical infrastructure companies. One was a US energy company working on drilling operations at the time of the compromise. Had the breach gone unnoticed and the ransomware attack not been intercepted, the oil rigs could have potentially malfunctioned and resulted in injury or death. At the time of the breach, Guan was working as a security researcher at Sichuan Silence, a Chengdu-based cybersecurity company that has allegedly provided services to Chinese intelligence services, and the People’s Republic of China (PRC) Ministry of Public Security.
Sichuan Silence provides its clients with services such as computer network exploitation, brute force password cracking, and even equipment designed to probe and exploit target network routers. One of Sichuan Silence’s products could, it was claimed, be used to “scan and detect overseas network targets in order to obtain valuable intelligence information.” A device used by Guan in the 2020 breach was owned by his former employer, Sichuan Silence.
The US Department of State’s reward of up to $10 million also extends to information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the US Computer Fraud and Abuse Act (CFAA).
Anyone with information on foreign malicious cyber activity against U.S. critical infrastructure should contact Rewards for Justice via a Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion
