Article Details

US sanctions Chinese firm for hacking firewalls in ransomware attacks. ​The U.S. Treasury Department has sanctioned Sichuan Silence, a Chinese cybersecurity company, and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020. According to the Department's Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity government contractor providing products and services to core clients like China's intelligence services. The company's services include computer network exploitation, brute-force password cracking, email monitoring, and public sentiment suppression. OFAC says the zero-day used in the April 2020 campaign was discovered by security researcher and Sichuan Silence employee Guan Tianfeng (also known as GbigMao) in an unnamed firewall product. "Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide," a press release published today revealed. "The purpose of the exploit was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims' systems with the Ragnarok ransomware variant." Out of all the targeted devices, over 23,000 compromised firewalls were in the United States, and 36 were protecting the networks of U.S. critical infrastructure companies. OFAC says that one of the victims was a U.S. energy company involved in drilling operations, and the attack could have led to significant loss of human life if the ransomware attacks had not been thwarted. ​While OFAC didn't mention the name of the firewall products targeted in these attacks, the details match an April 2020 Ragnarok ransomware campaign that exploited a zero-day SQL injection vulnerability in Sophos XG firewalls. The attackers initially used zero-day exploits to obtain remote code execution on Sophos XG firewalls and installed ELF binaries and scripts part of a malicious toolkit known as Asnarök Trojan. After Sophos detected the attacks, patched the devices, and. removed the malicious scripts using a hotfix. However, the threat actors activated a 'dead man switch' that triggered a Ragnarok ransomware attack on Windows machines on the victims' networks. On Tuesday, the Department of Justice (DOJ) also unsealed an indictment on Guan, and the U.S. State Department announced a reward offer of up to $10 million for information about Sichuan Silence or Guan through its Rewards for Justice program. As a result of today's sanctions, U.S. organizations and citizens are prohibited from engaging in transactions with Guan and Sichuan Silence. Also, any U.S.-based assets tied to them will be frozen, and U.S. financial institutions or foreign entities transacting with them will also be exposed to penalties.