A man holds a laptop computer as cyber code is projected onto him. REUTERS ILLUSTRATION
THE WATCH STAFF
A Chinese citizen has been indicted and the Chinese cybersecurity company for which he worked has been sanctioned for their alleged involvement in ransomware attacks that “could have resulted in serious injury or the loss of human life,” the U.S. Treasury Department said in a news release. The U.S. District Court for the Northern District of Indiana issued an arrest warrant for Guan Tianfeng, charging him with conspiracy to commit computer fraud and wire fraud.
The indictment, unsealed on December 10, 2024, accuses Guan, 30, and co-conspirators at Sichuan Silence Information Technology Co. Ltd. of discovering and exploiting a zero-day vulnerability — a flaw unknown to developers, making it vulnerable to immediate attack. The vulnerability affected certain firewalls sold by U.K.-based Sophos Ltd. — an information technology company that develops and markets cybersecurity products.
The hacking group allegedly cloaked their activity by using domains designed to look like they belonged to Sophos, Newsweek reported. Ross McKerchar, chief information security officer for Sophos, said in a statement that the hackers had shown “relentless determination.”
Sophos detected the hacking and fixed corrupted firewalls within two days, leading hackers to tweak their malware so that attempts to remove it would activate ransomware, which blocks users from their systems until a ransom is paid. “Their encryption efforts did not succeed, but demonstrated the conspirators’ disregard for the harm that they would cause to victims,” the Justice Department said in a news release.
Between April 22 and 25, 2020, Guan “used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide,” the Treasury Department news release said. “More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems. … (T)he potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.”
The Justice Department is offering a reward of up to $10 million for information on Guan, Sichuan Silence or anyone else related to the cyberattacks. The Treasury Department imposed sanctions on both Guan and Sichuan Silence. Under the sanctions, all property and interests in property in the United States that belong to Guan, Sichuan Silence and anyone else responsible for the cyberattacks are blocked and must be reported to the Treasury Department’s Office of Foreign Assets Control.
Guan competed for Sichuan Silence in cybersecurity tournaments and posted zero-day exploits on forums, including some under his online handle GbigMao, the Treasury Department said. Sichuan Silence, based in Chengdu, is a cybersecurity government contractor whose core clients are Chinese intelligence services, Treasury said.
Cybersecurity contests have grown more popular around the world, and Chinese Communist Party General Secretary Xi Jinping has directed that China be transformed into a “cyber powerhouse.” Some competitions are sponsored by government agencies, including China’s Ministry of Public Security.
Experts told Newsweek that vulnerabilities discovered in these contests likely benefit Chinese security agencies. In testimony before the House Armed Services Committee on March 12, 2024, Gen. Gregory Guillot, commander of the North American Aerospace Defense Command and U.S. Northern Command, warned of China’s “world-class offensive cyber capabilities.”