US Unseals Charges Against Chinese Hacker for Exploiting 81,000 Sophos Firewalls
Published on December 11, 2024
- Guan Tianfeng is wanted for his role in conspiring to hack Sophos’ firewalls.
- It’s believed that Tianfeng is connected to China's Sichuan Silence Technology Company.
- More than 81,000 Sophos firewalls were affected, 23,000 in the US alone.
The Office of Public Affairs, under the US Department of Justice, has announced that a federal court in Hammond (Indiana) has unsealed an indictment today charging a citizen of the People’s Republic of China. The individual in question is Guan Tianfeng (known in the online realm as “gbigmao” and “gxiaomao”), who is accused of hacking into firewall devices worldwide in 2020.
Tianfeng worked at Sichuan Silence Information Technology Company, a private company that has provided services to China’s Ministry of Public Security. This company is believed to have developed a product line to scan and detect overseas network targets to obtain intelligence information.
More precisely, Tiangeng is believed to have identified and exploited a zero-day vulnerability, later known as CVE-2020-12271. This severe SQL injection flaw allows remote code execution on susceptible Sophos firewalls. After receiving this “simultaneously highly helpful yet suspicious” bug bounty report, Sophos discovered connections to Sichuan Silence’s Double Helix Research Institute.
Throughout 2022, a similar situation occurred when Sophos received bug bounty reports on two separate flaws: CVE-2022-1040, a critical authentical flaw in Sophos firewalls, and CVE-2022-1292, a command injection bug in OpenSSL. Sophos later named this series of campaigns “Pacific Rim,” and a detailed report was published in October 2024.
"Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls," as the US Federal Bureau of Investigation notes, adding that "the exploit was used to infiltrate approximately 81,000 firewalls."
Of the 81,000 firewalls, more than 23,000 were in the United States, and 36 protected US critical infrastructure companies’ systems.
The US Department of State offers a reward of up to $10 million for information leading to the identification of Guan Tianfeng or the location of any person connected to this case. The US Department of Treasury also announced sanctions on Sichuan Silence and Tianfeng.
Related
Most Popular
Most Popular