Note: View the indictment right here and FBI Wanted Poster right here.
A federal court docket in Hammond, Indiana, unsealed an indictment at this time charging Guan Tianfeng, a citizen of the People’s Republic of China (PRC) for his involvement in a conspiracy to hack indiscriminately into firewall gadgets worldwide in 2020. Guan and his co-conspirators labored on the places of work of Sichuan Silence Information Technology Co. Ltd. to find and exploit a previously-unknown vulnerability (an “0-day” vulnerability) in sure firewalls bought by U.Okay.-based Sophos Ltd. (Sophos) – an info know-how firm that develops and markets cybersecurity merchandise. The malware that exploited the vulnerability found by Guan was designed to steal info from contaminated computer systems and to encrypt information on them if a sufferer tried to remediate the an infection. In complete, Guan and his co-conspirators contaminated roughly 81,000 firewall gadgets worldwide, together with a firewall gadget utilized by an company of the United States.
“The defendant and his co-conspirators exploited a vulnerability in tens of 1000’s of community safety gadgets, infecting them with malware designed to steal info from victims world wide,” stated Deputy Attorney General Lisa Monaco. “Today’s indictment displays the Justice Department’s dedication to working with companions throughout authorities and throughout the globe to detect and maintain accountable malicious cyber actors based mostly in China or elsewhere who pose a menace to international cybersecurity.”
“The defendant and his conspirators compromised tens of 1000’s of firewalls after which continued to carry in danger these gadgets, which shield computer systems within the United States and world wide,” stated Assistant Attorney General for National Security Matthew G. Olsen. “The Department of Justice will maintain accountable those that contribute to the harmful ecosystem of China-based enabling corporations that perform indiscriminate hacks on behalf of their sponsors and undermine international cybersecurity.”
“Our regulation enforcement actions, technical experience, and enduring partnerships with personal corporations, like Sophos, exhibit the status of the FBI as being a dependable and efficient companion for stopping this malicious exercise,” stated Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Complementary actions prevented additional victimization of U.S. companies and people whereas contributing to the security of U.S. residents as they use the web.”
“Today’s indictment underscores our dedication to defending the general public from malicious actors who use safety analysis as a canopy to establish vulnerabilities in broadly used methods and exploit them,” stated U.S. Attorney Clifford D. Johnson for the Northern District of Indiana. “Guan Tianfeng and his co-conspirators positioned 1000’s of laptop networks, together with a community within the Northern District of Indiana, in danger by conducting this assault.”
“The zero-day vulnerability Guan Tianfeng and his co-conspirators discovered and exploited affected firewalls owned by companies throughout the United States, together with in Indiana,” stated Special Agent in Charge Herbert J. Stapleton of the FBI Indianapolis Field Office. “If Sophos had not quickly recognized the vulnerability and deployed a complete response, the harm may have been way more extreme. Sophos’s efforts mixed with the dedication and experience of our cyber squad shaped a robust partnership ensuing within the mitigation of this menace.”
The Conspiracy to Exploit Common Vulnerabilities and Exposures (CVE) 2020-12271
As alleged within the indictment, in 2020, Guan and his co-conspirators developed, examined, and deployed malware that focused roughly 81,000 Sophos firewalls utilizing a 0-day vulnerability that existed on these gadgets. The 81,000 Sophos firewalls have been positioned all through the world, together with inside sufferer organizations positioned within the Northern District of Indiana. The vulnerability was later designated CVE 2020-12271.
Guan and his co-conspirators designed the malware to steal info from firewalls. To higher disguise their exercise, Guan and his co-conspirators registered and used domains designed to seem like they have been managed by Sophos, reminiscent of sophosfirewallupdate.com. Sophos found the intrusion and remediated its prospects’ firewalls in roughly two days, which induced the co-conspirators to switch their malware. As modified, the malware was designed to deploy encryption software program from a ransomware variant within the occasion the victims tried to take away the malware. Their encryption efforts didn’t succeed, however demonstrated the conspirators’ disregard for the hurt that they might trigger to victims.
Guan Tianfeng’s Employment and Sichuan Silence’s Relationship with the PRC Government
According to court docket paperwork, Guan labored for Sichuan Silence, a PRC-based personal firm that has offered companies to the PRC Ministry of Public Security, amongst different PRC organizations. According to Sichuan Silence’s web site, it developed a product line which might be used to scan and detect abroad community targets as a way to acquire helpful intelligence info.
In October, Sophos launched quite a lot of articles chronicling its separate long-running investigation, “Pacific Rim.” Sophos detailed PRC-based superior persistent menace teams concentrating on its networking home equipment for over 5 years, which it described as “unusually educated in regards to the inside structure of the gadget firmware.” One of the assaults described within the Pacific Rim report concerned CVE-2020-12271.
Soon after the Sophos bulletins in October, the FBI issued a name for info concerning laptop intrusions into Sophos edge gadgets. The FBI continues to solicit info on PRC-sponsored malicious actors concentrating on edge gadgets and community safety home equipment.
The U.S. Department of State additionally introduced rewards at this time of as much as $10 million for info resulting in the identification or location of Guan or any one that, whereas performing on the course or below the management of a overseas authorities, engages in sure malicious cyber actions in opposition to U.S. important infrastructure in violation of the Computer Fraud and Abuse Act. The U.S. Department of the Treasury’s Office of Foreign Assets Control additionally introduced sanctions on Sichuan Silence and Guan at this time.
Trial Attorneys Jacques Singer-Emery and George Brown of the National Security Division’s National Security Cyber Section and Assistant U.S. Attorney Steven J. Lupa for the Northern District of Indiana are prosecuting the case.
The FBI continues to analyze Sichuan Silence’s hacking actions and intrusions into varied edge gadgets.
An indictment is merely an allegation. All defendants are presumed harmless till confirmed responsible past an inexpensive doubt in a court docket of regulation.
