Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

US Charges, Sanctions Chinese Man Accused of Sophos Firewall Hacking

The US government announced charges, sanctions and a reward for Guan Tianfeng, a Chinese national accused of involvement in Sophos firewall hacks.

Guan Tianfeng Sophos firewall hack

The US government on Tuesday announced charges and sanctions against a Chinese national accused of being involved in the hacker attacks targeting Sophos firewalls.

The attacks, which Sophos tracked over a period of five years, involved the exploitation of zero-day vulnerabilities in the security firm’s firewalls in an effort to plant backdoors and steal sensitive data from organizations. 

The campaign, linked to Chinese state-sponsored threat actors, resulted in roughly 81,000 firewall devices located around the world getting compromised, according to the US government, which noted that the list of hacked firewalls included devices used by one of its agencies. 

On Tuesday, the Department of Justice announced charges against a Chinese national named Guan Tianfeng (aka GBigMao) over the Sophos firewall attacks and the use of zero-days. The DoJ’s announcement specifically mentions the exploitation of a zero-day tracked as CVE-2020-12271.

Investigators determined that the attacks were carried out by Guan and others working for a Chinese company named Sichuan Silence Information Technology. 

Sichuan Silence is a private company that has allegedly provided services to China’s Ministry of Public Security, as well as other local organizations. Its website says the firm has developed a “product line which could be used to scan and detect overseas network targets in order to obtain valuable intelligence information”. 

In addition to the charges against Guan, the US government, specifically the Treasury Department, on Tuesday announced sanctions against the man and Sichuan Silence.

The Department of State is offering rewards of up to $10 million for information leading to the identification or location of Guan, and the FBI has added him to its Cyber’s Most Wanted list

Advertisement. Scroll to continue reading.

The announcements made by the US government are not surprising. In late October, Sophos revealed that it had developed and used custom implants to surveil the hackers who had been targeting its products. In early November, the FBI asked the public for help in identifying the hackers behind the Sophos campaign.

“[…] We were able to link much of the attackers’ exploit research and development to the Sichuan region of China, specifically, the Sichuan Silence Information Technology’s Double Helix Research Institute,” Ross McKerchar, CISO at Sophos, told SecurityWeek in emailed comments. 

“In addition, after neutralizing a wave of attacks we named Asnarok, we uncovered links between the attacks and a person who went by the moniker GBigMao. Today, we are pleased that the Department of Justice has unsealed its indictment of Gbigmao, aka Guan Tianfeng, and the Treasury has sanctioned Sichuan Silence. This is a positive step towards disrupting these attackers’ operation,” McKerchar added.

Related: NCSC Details ‘Pygmy Goat’ Backdoor Planted on Hacked Sophos Firewall Devices

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: 2,000 Palo Alto Firewalls Compromised via New Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.