Full Report
The department’s Office of Foreign Assets Control said Guan Tianfeng used a zero-day exploit to deploy malware on 81,000 firewalls. The post Treasury sanctions Chinese cyber company, employee for 2020 global firewall attack appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Guan Tianfeng and Sichuan Silence Information Technology Company Ltd. (Sanctioned Entities)
## Attribution & Identity
The primary identified actor is **Guan Tianfeng**, an individual employed as a security researcher at the Chinese cybersecurity company, **Sichuan Silence Information Technology Company Ltd.** The U.S. Treasury Department sanctioned both the individual and the company for their role in a specific cyberattack.
## Activity Summary
The actor(s) were responsible for a massive cyberattack in **April 2020** that exploited a zero-day vulnerability in a firewall product. The objective appears to have been gaining widespread access, stealing data, and deploying ransomware. An estimated **81,000 firewalls** globally were seeded with malware.
## Tactics, Techniques & Procedures
- **Exploitation of Zero-Day Vulnerability:** Guan Tianfeng discovered and leveraged a zero-day exploit in a firewall product.
- **Malware Deployment:** Deployed malware across compromised firewalls.
- **Data Exfiltration:** Stole usernames, passwords, and other sensitive data from infected systems.
- **Ransomware Deployment:** Attempted to infect targeted systems with the **Ragnarok ransomware** variant.
- **Defense Evasion:** Ragnarok variant is noted for disabling anti-virus software.
- **Public Disclosure/Competition:** Guan Tianfeng reportedly represented Sichuan Silence in cybersecurity competitions and posted zero-day exploits to various forums (implying capability demonstration or potential dual-use activities).
## Targeting
- Sectors: **Critical Infrastructure Operators** (specifically mentioned: an energy company) were among the targets.
- Geography: **Global** compromise, including over 23,000 firewalls in the U.S.
- Victims: Thousands of businesses worldwide; 36 U.S. critical infrastructure companies were impacted.
## Tools & Infrastructure
- **Malware families used:** Ragnarok ransomware variant.
- **Infrastructure (C2, domains, IPs - defang URLs):** No specific C2 domains or IPs were provided in the text; the initial vector was the zero-day exploit in firewall hardware/software.
## Implications
The attack demonstrated the capability to leverage zero-day vulnerabilities for widespread global impact, specifically targeting foundational network devices (firewalls). The potential deployment of Ragnarok ransomware against active critical infrastructure (like drilling oil rigs) underscores a capability for disruption that could lead to **serious injury or the loss of human life** if mitigations had failed. The U.S. government response signals a commitment to holding actors behind such global disruption accountable via financial sanctions.
## Mitigations
- **Patch Management:** Critical systems must ensure timely patching to mitigate known vulnerabilities (especially relevant since the initial access vector was an unpatched zero-day).
- **Cybersecurity Measures:** Employing strong cybersecurity measures capable of identifying and quickly remedying intrusions.
- **Compliance/Vigilance:** Entities must monitor transactions involving Guan Tianfeng and Sichuan Silence Information Technology Company Ltd. due to U.S. sanctions blocking their property and interests.