Full Report
The US government has sanctioned Sichuan Silence and one of its employees for the mass compromise of firewalls which led to the deployment of malware and ransomware
Analysis Summary
# Incident Report: Global Firewall Compromise via Zero-Day Exploit (April 2020)
## Executive Summary
Between April 22 and April 25, 2020, a vast, coordinated attack leveraged a zero-day vulnerability (CVE-2020-12271) in widely used firewalls to compromise approximately 81,000 devices globally, including 23,000 systems in the US. The primary objectives were data theft (credentials) and the deployment of Asnarök Trojan and Ragnarok ransomware. The US government sanctioned the responsible Chinese contractor, Sichuan Silence Information Technology Company, and employee Guan Tianfeng, citing the potential for severe real-world impact on critical infrastructure.
## Incident Details
- Discovery Date: Not explicitly stated, but implied shortly after the attack window (April 22-25, 2020) through subsequent investigation leading to sanctions announcement.
- Incident Date: April 22–25, 2020
- Affected Organization: Approximately 81,000 businesses worldwide, including US critical infrastructure firms.
- Sector: Diverse, including Critical Infrastructure (Energy, potentially others).
- Geography: Worldwide, with over 23,000 affected firewalls in the US.
## Timeline of Events
### Initial Access
- Date/Time: April 22, 2020
- Vector: Exploitation of a zero-day SQL injection vulnerability (CVE-2020-12271) in firewalls.
- Details: Employee Guan Tianfeng, using the moniker GbigMao, allegedly discovered and weaponized the zero-day exploit.
### Lateral Movement
- Date/Time: During or immediately following initial access.
- Vector: Command injection privilege escalation.
- Details: Attackers utilized command injection techniques to escalate privileges to gain **root access** on the compromised firewall devices.
### Data Exfiltration/Impact
- Date/Time: Ongoing during the 4-day window.
- Details: Attackers installed the **Asnarök Trojan** to steal data, specifically usernames and passwords from the firewalls. Attempts were also made to deploy the **Ragnarok ransomware** variant onto victim systems. The impact on critical infrastructure could have resulted in serious injury or loss of life (e.g., malfunctioning of oil rigs).
### Detection & Response
- Date/Time: Post-April 2020; sanctions announced sometime later.
- Details: The response included investigation by US authorities (FBI, Treasury OFAC). Formal response included imposing sanctions against Sichuan Silence and Guan Tianfeng, and offering a substantial reward for information. Mitigation for victims involved patching the vulnerability (CVE-2020-12271).
## Attack Methodology
- Initial Access: Exploitation of zero-day SQLi vulnerability (CVE-2020-12271) in perimeter firewalls.
- Persistence: Installation of the Asnarök Trojan.
- Privilege Escalation: Command injection to gain root access.
- Defense Evasion: Exploiting a software vulnerability unknown to vendors/users (zero-day).
- Credential Access: Extraction of usernames and passwords from compromised firewalls using the deployed malware.
- Discovery: (Implied) Reconnaissance to identify vulnerable firewall types globally.
- Lateral Movement: (Not explicitly detailed beyond root access on the firewalls themselves, but the goal was to infect downstream systems).
- Collection: Stealing credentials from the firewalls.
- Exfiltration: Use of Asnarök Trojan for data theft.
- Impact: Deployment of ransomware (Ragnarok variant) and operational disruption risk to critical infrastructure.
## Impact Assessment
- Financial: Not quantified, but significant costs associated with remediation, investigation, and potential downtime across 81,000 organizations. Sanctions involve blocking US assets.
- Data Breach: Usernames and passwords were stolen from the firewalls.
- Operational: High potential for severe operational disruption, particularly for the 36 critical infrastructure companies in the US whose systems were targeted by impending ransomware deployment.
- Reputational: Minimal immediate public impact reported, but sanctions highlight severe national security implications.
## Indicators of Compromise
- Network indicators: (None provided as endpoints were defanged/unspecified prior to sanctions)
- File indicators: Asnarök Trojan, Ragnarok ransomware variant.
- Behavioral indicators: Unauthorized remote file execution via SQL injection, elevated privilege acquisition (root access) on network perimeter devices.
## Response Actions
- Containment: (Implied) Victims patching the CVE-2020-12271 vulnerability to stop further exploitation.
- Eradication: (Implied) Removing the Asnarök Trojan from affected devices.
- Recovery actions: Not specified, but essential remediation steps following ransomware attempts and data exfiltration. Additionally, OFAC blocked assets and the State Department offered a reward.
## Lessons Learned
- Zero-day vulnerabilities in widely deployed perimeter security devices (firewalls) offer high leverage to sophisticated actors, leading to massive global compromise.
- Supply chain/Contractor Risk: Government contractors specializing in offensive techniques pose a significant risk if their research capabilities are weaponized against global targets, even without direct state orders.
- Persistence of Chinese Threat Actors: There is a persistent, large-scale campaign by China-based groups targeting perimeter devices (as noted in the ‘Pacific Rim’ investigation).
## Recommendations
- Immediate patching of all known vulnerabilities in perimeter security devices (Zero-Day disclosure remediation cycle optimization).
- Rigorous vetting and monitoring of third-party cybersecurity contractors, especially those with offensive research capabilities.
- Enhanced monitoring for post-exploitation activity (e.g., installation of Trojans) on network infrastructure, even after initial successful connection.
- Improved segmentation and layered defenses to prevent ransomware deployment from reaching critical operational technology environments, even if the perimeter is breached.