Full Report
The U.S. government on Tuesday unsealed charges against a Chinese national for allegedly breaking into thousands of Sophos firewall devices globally in 2020. Guan Tianfeng (aka gbigmao and gxiaomao), who is said to have worked at Sichuan Silence Information Technology Company, Limited, has been charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Guan has been
Analysis Summary
# Threat Actor: Guan Tianfeng (and associated group)
## Attribution & Identity
* **Name/Alias:** Guan Tianfeng (also known as gbigmao and gxiaomao).
* **Affiliation:** Allegedly operates from Sichuan Silence Information Technology Company, Limited (a Chengdu-based cybersecurity government contractor serving Chinese intelligence agencies).
* **Government Association:** Assessed to be acting under the direction of a foreign government (China/Chinese intelligence agencies).
## Activity Summary
Guan Tianfeng has been charged by the U.S. government for conspiring to break into thousands of Sophos firewall devices globally starting in 2020.
* **2020 Exploitation:** Developed and tested a zero-day vulnerability (CVE-2020-12271) leading to the exploitation of approximately 81,000 Sophos firewalls. This activity was linked to stealing sensitive data using the Asnarök trojan, occurring shortly after a "helpful yet suspicious" bug bounty report was submitted through Sophos channels by researchers associated with Sichuan Silence's Double Helix Research Institute.
* **2022 Exploitation:** Involved in the in-the-wild exploitation of **CVE-2022-1040** (Personal Panda) and **CVE-2022-1292**, following another security disclosure from a China-based researcher.
* **Post-Compromise Activity:** Designed malware to steal information from firewalls and deployed a variant of **Ragnarok ransomware** on infected Windows systems if victims attempted to remove artifacts, indicating an intent to cause disruption or data loss upon detection.
* **Information Operations:** Associated entity, Sichuan Silence, was observed by Meta in December 2021 removing accounts linked to running COVID-19 related disinformation campaigns targeting English- and Chinese-speaking audiences.
## Tactics, Techniques & Procedures
* **Vulnerability Exploitation (Initial Access):** Developed and deployed weaponized zero-day and N-day vulnerabilities against perimeter defense equipment:
* Exploitation of **CVE-2020-12271** (SQL Injection leading to RCE). [Identified in 2020]
* Exploitation of **CVE-2022-1040** (Critical Authentication Bypass leading to arbitrary code execution). [Identified in 2022]
* Exploitation of **CVE-2022-1292** (Command Injection in OpenSSL). [Identified in 2022]
* **Defense Evasion/Persistence:**
* Used domain spoofing to hide malicious activity, registering domains designed to look like they were controlled by Sophos (e.g., sophosfirewallupdate\[.\]com).
* **Impact/Impact:** Deployed malware designed for data exfiltration and malware variants (Ragnarok ransomware) upon detection/remediation attempts.
* **MITRE ATT&CK Coverage (Inferred from description):** Initial Access (T1190), Collection (T1005), Command and Control (implied for C2), Impact (T1489 - Ransomware).
## Targeting
* **Sectors:** Critical Infrastructure (U.S. entities), general businesses.
* **Geography:** Global scope, with over 23,000 compromised firewalls identified in the United States alone.
* **Victims:** Specific organizations were not named, but the actor targeted systems protected by Sophos firewalls, including 36 U.S. critical infrastructure companies.
## Tools & Infrastructure
* **Malware families used:**
* **Asnarök trojan** (used for stealing sensitive data post-exploitation in 2020).
* **Ragnarok ransomware** variant (deployed against remediation attempts on Windows hosts).
* **Infrastructure:**
* Used domains mimicking legitimate vendor update sites, such as `sophosfirewallupdate[.]com`.
## Implications
This activity demonstrates a persistent, sophisticated campaign by an actor linked to Chinese state interests, specifically targeting perimeter security devices (firewalls) at scale (81,000 devices). The targeting of U.S. critical infrastructure demonstrates a high-stakes espionage and disruption capability. The linkage between reporting security flaws via bug bounty programs and simultaneous real-world exploitation suggests a possibility of "security research" being used as a pretext or cover for zero-day deployment. The threat actor actively adapted their tools (deploying ransomware) when initial access methods were threatened.
## Mitigations
* Immediately patch all Sophos firewall devices, especially against observed CVEs: CVE-2020-12271, CVE-2022-1040, and CVE-2022-1292.
* Employ robust network monitoring to detect unusual outbound connections or domain usage that mimics legitimate vendor URLs.
* Ensure comprehensive security hygiene across perimeter devices, as these actors specifically focus on exploiting known vendor flaws.
* Implement layered security defenses internally, as the actor pivoted to deploying ransomware on connected Windows systems once initial firewall exploitation was mitigated by the victim.