China-based hacker accused of deploying malware to exploit global firewall devices

Dec 11, 2024

Washington DC [US], December 11 : A federal court in Hammond, Indiana, unsealed an indictment on Tuesday, charging Guan Tianfeng, a citizen of the People's Republic of China (PRC), for his role in a 2020 conspiracy to hack firewall devices worldwide. Guan, along with his co-conspirators, exploited a previously-unknown vulnerability in certain firewalls manufactured by UK-based Sophos Ltd., a cybersecurity company, the Office of Public Affairs of the US Department of Justice said in a press release.
According to the indictment, Guan and his team worked from the offices of Sichuan Silence Information Technology Co. Ltd. to discover and exploit the zero-day vulnerability. The malware they created was designed to steal data from infected computers and encrypt files if victims tried to remedy the infection. In total, the conspiracy infected around 81,000 firewall devices globally, including a device used by a US agency.
The malware's impact was mitigated when Sophos quickly identified the breach and deployed fixes within two days. However, the conspirators attempted to modify their malware to deploy ransomware encryption when victims tried to remove it, although these efforts ultimately failed.
The Justice Department has made it clear that it is committed to holding accountable malicious cyber actors, particularly those based in China, who pose a threat to global cybersecurity. "Today's indictment reflects the Justice Department's commitment to working with global partners to detect and hold accountable malicious cyber actors," said Deputy Attorney General Lisa Monaco.
Guan and his associates worked for Sichuan Silence, a PRC -based company with ties to the PRC Ministry of Public Security. The company has been involved in developing tools to scan and obtain intelligence from overseas network targets, raising concerns about its association with Chinese government interests.
In a separate report, Sophos revealed the "Pacific Rim" investigation, which details PRC-based hacking groups targeting its networking appliances over several years. One of the attacks identified in this report involved the CVE-2020-12271 vulnerability.
In response to the indictment, the US Department of State has announced rewards of up to USD 10 million for information leading to the identification or location of Guan. The US Department of the Treasury's Office of Foreign Assets Control has also imposed sanctions on Sichuan Silence and Guan.
This indictment serves as a reminder of the increasing threats to cybersecurity and the ongoing efforts by the US government to address these global challenges. The case is being prosecuted by the National Security Division's National Security Cyber Section, and the FBI continues to investigate related activities.