U.S. authorities have unsealed charges against Chinese national Guan Tianfeng for allegedly orchestrating a massive cyber attack that compromised approximately 81,000 Sophos firewall devices worldwide in 2020.
Guan, who worked at Sichuan Silence Information Technology Company, faces charges of conspiracy to commit computer fraud and wire fraud. According to the U.S. Department of Justice, he developed and tested a critical zero-day vulnerability that enabled unauthorized access to Sophos firewalls.
The exploit targeted a severe SQL injection flaw (CVE-2020-12271) that allowed attackers to gain remote code execution capabilities on vulnerable devices. Over 23,000 of the compromised firewalls were located in the United States, including 36 protecting critical infrastructure systems.
The attackers deployed sophisticated methods to conceal their activities, including registering domains that mimicked legitimate Sophos URLs, such as "sophosfirewallupdate.com". When victims attempted to remove the malware, the hackers responded by deploying Ragnarok ransomware, though these attempts were ultimately unsuccessful.
In response to the charges, the U.S. Treasury Department has imposed sanctions against both Guan and Sichuan Silence. The company, based in Chengdu, has been identified as a cybersecurity contractor providing services to Chinese intelligence agencies, including network exploitation and email monitoring capabilities.
The U.S. State Department is offering rewards up to $10 million for information about Sichuan Silence, Guan, or other individuals involved in state-directed cyber attacks against U.S. critical infrastructure.
Sophos CISO Ross McKerchar emphasized the growing threat posed by Chinese state-backed cyber operations, calling for increased industry collaboration and transparency in addressing software vulnerabilities.
The case highlights the persistent challenges faced by cybersecurity firms and critical infrastructure operators in defending against sophisticated state-sponsored cyber attacks.