The U.S. Department of Justice (DoJ) has indicted Guan Tianfeng, a Chinese national, for allegedly exploiting a zero-day vulnerability in Sophos firewalls, compromising around 81,000 devices globally in 2020. Guan is accused of deploying malware to steal sensitive data and breach critical infrastructure systems.
The exploited vulnerability, CVE-2020-12271, had a critical severity rating of 9.8 on the CVSS scale. It allowed attackers to gain unauthorized access to Sophos firewall devices through SQL injection flaws. Of the affected devices, over 23,000 were in the United States, including 36 systems tied to critical infrastructure. Guan, who operated under the aliases gbigmao and gxiaomao, worked for Sichuan Silence Information Technology Co., Ltd., a company with alleged connections to the Chinese government.
According to the indictment, Guan and his associates designed malware to extract data and disrupt firewall operations. The FBI has called for public assistance in identifying other individuals involved, as investigations into the attack continue.
The charges against Guan also include deploying a ransomware variant, Ragnarok, to encrypt files on victim systems attempting to address the infections. The group disguised their operations by using deceptive domains like sophosfirewallupdate.com to appear legitimate.
Sophos had already recognized the increasing sophistication of cyberattacks targeting its devices by 2021. The company attributed many of these incidents to advanced persistent threat (APT) groups with specialized knowledge of its systems. Following the attack, Sophos implemented swift countermeasures to mitigate further exploitation. The U.S. Treasury Department highlighted the severe potential impact of such vulnerabilities, noting that failure to patch affected systems could have led to catastrophic outcomes, including injury or loss of life.
In response to these cyber activities, the U.S. government has imposed sanctions on Guan and Sichuan Silence, underscoring the national security risks posed by state-sponsored cyberattacks. The indictment is part of a broader strategy to address the challenges presented by foreign cyber actors, particularly those linked to the Chinese government.
The U.S. Department of State has announced rewards of up to $10 million for information leading to the identification of individuals involved in cyberattacks against U.S. critical infrastructure. Officials continue to stress the importance of global collaboration in cybersecurity efforts to counteract persistent threats from foreign adversaries.
Featured image credit: David Trinks/Unsplash
