U.S. Treasury Sanctions Sichuan Silence for Firewall Exploits and Ransomware Attacks

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has announced sanctions against Sichuan Silence Information Technology Company, Limited, and its employee Guan Tianfeng for their involvement in a large-scale cybersecurity campaign. This attack, which took place between April 22 and 25, 2020, compromised over 81,000 firewalls worldwide, including more than 23,000 in the United States. Notably, 36 of these compromised devices were protecting critical infrastructure companies. The breach, which exploited a zero-day vulnerability (CVE-2020-12271) in Sophos XG firewalls, allowed Guan to steal credentials and attempt to deploy the Ragnarok ransomware. The ransomware variant was designed to disable antivirus protections and encrypt victims' systems if attempts were made to mitigate the intrusion. According to the Treasury, the potential impacts of these actions could have included serious disruptions, particularly for a U.S. energy company involved in drilling operations at the time.

Sichuan Silence is a cybersecurity contractor for Chinese intelligence services, offering capabilities such as network exploitation, brute-force password cracking, and email monitoring. Guan, who operated under the alias "GbigMao," was responsible for discovering and exploiting the zero-day vulnerability. The exploit facilitated the deployment of the Asnarök Trojan toolkit, which enabled data exfiltration and remote code execution on affected firewalls. Following detection by Sophos, a hotfix was issued to remove the malicious scripts, but Guan's toolkit contained a "dead man switch" that would have initiated a Ragnarok ransomware attack if mitigations failed. This ransomware posed a severe risk, as successful deployment could have led to malfunctions in critical infrastructure and potential loss of human life.

In response to these actions, the Department of Justice unsealed an indictment against Guan, while the U.S. State Department offered a $10 million reward for information leading to his capture. The sanctions imposed by OFAC mean all U.S.-based assets linked to Sichuan Silence and Guan are frozen, and U.S. citizens are prohibited from engaging in transactions with them. Additionally, foreign entities that interact with the sanctioned parties may face penalties.