Full Report
Sichuan Silence Information Technology Company and one of its employees, Guan Tianfeng, were the targets of the sanctions, and the Justice Department indicted Guan for his role in the attacks. The State Department also issued a $10 million reward for additional information on the company or Guan.
Analysis Summary
# Threat Actor: Sichuan Silence Information Technology Company & Guan Tianfeng
## Attribution & Identity
* **Primary Entity:** Sichuan Silence Information Technology Company (Chengdu-based).
* **Key Individual:** Guan Tianfeng (known researcher alias GbigMao).
* **Attribution:** Chinese cybersecurity company sanctioned by the U.S. Department of Justice and State Department; publicly accused of acting as a contractor for Chinese intelligence services, including the Ministry of Public Security.
* **Associated Groups/Activity:** Mentioned in the context of Sophos's long-running tit-for-tat battle with researchers linked to Sichuan Silence. Sophos noted that this actor group handed off vulnerabilities that were subsequently used in espionage operations by APT41, APT31, and Volt Typhoon.
* **Other Associations:** Linked to disinformation campaigns identified by Meta and mentioned in leaks pertaining to another shadowy security firm, I-Soon.
## Activity Summary
The actor conducted a large-scale global compromise starting in April 2020 by exploiting a zero-day vulnerability in an unnamed popular firewall product (subsequently inferred to be Sophos's XG firewall). They compromised approximately 81,000 firewalls globally. The goal was data theft, including credentials, and the preparation for ransomware deployment.
## Tactics, Techniques & Procedures
* **Vulnerability Discovery/Exploitation:** Discovered and weaponized a zero-day vulnerability (later associated with CVE-2020-12271, a pre-auth SQL injection on Sophos XG firewalls).
* **Initial Access:** Gained remote access via compromised firewall devices.
* **Persistence/Impact:** Used exploited devices to install malware and attempted to deploy Ragnarok ransomware.
* **Data Exfiltration:** Targeted theft of usernames and passwords.
* **Disinformation/Espionage Support:** Allegedly provided intelligence services with discovered zero-day bugs which were subsequently used by nation-state groups like APT41 and APT31.
## Targeting
* **Sectors:** Critical Infrastructure (including an energy company involved in drilling operations), general businesses worldwide.
* **Geography:** Global; targeted over 23,000 firewalls in the U.S.
* **Victims:** Thousands of businesses worldwide; specifically targeted 36 U.S. critical infrastructure firewalls.
## Tools & Infrastructure
* **Malware families used:** Ragnarok ransomware.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed, but activity relied on exploiting network edge devices (firewalls).
## Implications
The campaign demonstrated a high level of technical proficiency (zero-day discovery and exploitation) resulting in massive global network compromise. The direct targeting of U.S. critical infrastructure, particularly the energy sector, posed a severe physical safety risk had the ransomware deployment not been thwarted. The actor's documented relationship with Chinese intelligence services suggests their operations blur the lines between criminal activity and state-sponsored espionage.
## Mitigations
* Focus on securing and rapidly updating edge devices such as routers, firewalls, and VPN services, which are high-value targets for adversarial groups tied to state actors.
* Transparency regarding newly discovered vulnerabilities is critical for rapid defense staging.
* Strong partnership between vendors (like Sophos) and law enforcement (like the FBI/DOJ) is necessary to counter these multi-faceted threats.