www.helpnetsecurity.com
Open in
urlscan Pro
52.38.211.32
Public Scan
URL:
https://www.helpnetsecurity.com/2024/12/10/us-sanctions-sichuan-silence-guan-tianfeng/
Submission: On December 11 via api from TR — Scanned from CA
Submission: On December 11 via api from TR — Scanned from CA
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1733883416"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
Help Net Security newsletters: Daily and weekly news, cybersecurity jobs, open source – subscribe here! * News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Help Net Security December 10, 2024 Share US SANCTIONS CHINESE CYBERSECURITY COMPANY FOR FIREWALL COMPROMISE, RANSOMWARE ATTACKS The Department of the Treasury is sanctioning Chinese cybersecurity company Sichuan Silence, and one of its employees, Guan Tianfeng, for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were U.S. critical infrastructure companies. The Department of Justice unsealed an indictment on Guan for the same activity. The U.S. Department of State also announced a Rewards for Justice reward offer of up to $10 million for information about Sichuan Silence or Guan. “Throughout our five-year offensive operation against interlinked, Chinese nation-state adversaries — an operation we’ve named Pacific Rim — we successfully gathered critical intelligence about their activities. Notably, we could link much of the attackers’ exploit research and development to the Sichuan region of China, specifically, the Sichuan Silence Information Technology’s Double Helix Research Institute. In addition, after neutralizing a wave of attacks we named Asnarok, we uncovered links between the attacks and a person who went by the moniker GBigMao. Today, we are pleased that the Department of Justice has unsealed its indictment of Gbigmao, aka Guan Tianfeng, and the Treasury has sanctioned Sichuan Silence. This is a positive step towards disrupting these attackers’ operation,” Ross McKerchar, CISO at Sophos, told Help Net Security. APRIL 2020 FIREWALL COMPROMISE Guan Tianfeng discovered a zero-day exploit in Sophos Firewall. Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide. The exploit aimed to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the Ragnarok ransomware variant. More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems. One victim was a U.S. energy company actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction. GUAN TIANFENG AND SICHUAN SILENCE Guan is a Chinese national and was a security researcher at Sichuan Silence at the time of the compromise. Guan competed on behalf of Sichuan Silence in cybersecurity tournaments and posted recently discovered zero-day exploits on vulnerability and exploit forums, including under his moniker GbigMao. Guan was responsible for the April 2020 firewall compromise. Sichuan Silence is a Chengdu-based cybersecurity government contractor whose core clients are PRC intelligence services. Sichuan Silence provides these clients with computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services. Additionally, Sichuan Silence provides these clients with equipment designed to probe and exploit target network routers. A pre-positioning device used by Guan in the April 2020 firewall compromise was in fact owned by his employer, Sichuan Silence. OFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector. More about * China * cybercrime Share FEATURED NEWS * Windows, macOS users targeted with crypto-and-info-stealing malware * December 2024 Patch Tuesday forecast: The secure future initiative impact * Building a robust security posture with limited resources How to leverage the 2024 MITRE ATT&CK Evaluation results RESOURCES * Download: The Ultimate Guide to the CCSP * Whitepaper: 9 traits of effective cybersecurity leaders of tomorrow * Download: The Ultimate Guide to the CISSP * Whitepaper: Securing GenAI * Report: Voice of Practitioners 2024 – The True State of Secrets Security DON'T MISS * Microsoft fixes exploited zero-day (CVE-2024-49138) * Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623) * Preventing data leakage in low-node/no-code environments * Strengthening security posture with comprehensive cybersecurity assessments * Neosync: Open-source data anonymization, synthetic data orchestration Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - editor's choice selection of topics (twice per month) Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×