Skip to main content
Advertisement
Advertisement
Close
Cybersecurity
The department’s Office of Foreign Assets Control said Guan Tianfeng used a zero-day exploit to deploy malware on 81,000 firewalls.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)
A Chinese cybersecurity company and one of its employees were sanctioned Tuesday by the Treasury Department for their roles in an April 2020 cyberattack that unleashed malware on tens of thousands of firewalls around the globe, including a huge chunk belonging to U.S. critical infrastructure operators.
Treasury’s Office of Foreign Assets Control said Guan Tianfeng, who worked as a security researcher at Sichuan Silence Information Technology Company Ltd., found a zero-day exploit in a firewall product, and used that exploit to seed malware to roughly 81,000 firewalls in use by thousands of businesses worldwide.
According to Treasury’s OFAC, Guan — who entered cybersecurity competitions representing Sichuan Silence and posted zero-day exploits to various forums — leveraged this exploit to steal usernames, passwords and other data. He also tried to infect the systems of victims with the Ragnarok ransomware variant, according to OFAC, which disables anti-virus software and encrypts computers that try to fix the compromise.
Tuesday’s sanctions underscore Treasury’s “commitment to exposing these malicious cyber activities — many of which pose significant risk to our communities and our citizens — and to holding the actors behind them accountable for their schemes,” Bradley T. Smith, acting under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”
Advertisement
Of the more than 23,000 firewalls in the U.S. that were compromised during the April 22-25, 2020 attack, 36 guarded systems of critical infrastructure companies, Treasury said. One impacted U.S. operator was an energy company that was actively drilling during the incident; had the ransomware attack not been stopped, oil rigs could have broken down.
“If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life,” OFAC’s press release stated.
As part of Treasury’s sanctions, all transactions involving U.S. property and interests in U.S. property of Guan and Sichuan Silence are blocked and must be reported to OFAC. Additionally, transactions tied to any owned entities by Guan or the company — either directly, indirectly, individually or in the aggregate at more than 50% — are also blocked. Financial institutions or individuals that engage with those sanctioned parties in transactions “may expose themselves to sanctions or be subject to an enforcement action,” OFAC warned.
According to the Treasury, Guan also faces a Department of Justice indictment for his role in the attack, while the State Department is offering an award of up to $10 million for information about him or Sichuan Silence.
Matt Bracken
Written by Matt Bracken
Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.
In This Story
Advertisement
Advertisement
Advertisement
More Scoops
Latest Podcasts
Government
Technology
Geopolitics
Advertisement
Continue to CyberScoop