Treasury sanctions Chinese cyber company, employee for 2020 global firewall attack

A Chinese cybersecurity company and one of its employees were sanctioned Tuesday by the Treasury Department for their roles in an April 2020 cyberattack that unleashed malware on tens of thousands of firewalls around the globe, including a huge chunk belonging to U.S. critical infrastructure operators.

Treasury’s Office of Foreign Assets Control said Guan Tianfeng, who worked as a security researcher at Sichuan Silence Information Technology Company Ltd., found a zero-day exploit in a firewall product, and used that exploit to seed malware to roughly 81,000 firewalls in use by thousands of businesses worldwide.  

According to Treasury’s OFAC, Guan — who entered cybersecurity competitions representing Sichuan Silence and posted zero-day exploits to various forums — leveraged this exploit to steal usernames, passwords and other data. He also tried to infect the systems of victims with the Ragnarok ransomware variant, according to OFAC, which disables anti-virus software and encrypts computers that try to fix the compromise.

Tuesday’s sanctions underscore Treasury’s “commitment to exposing these malicious cyber activities — many of which pose significant risk to our communities and our citizens — and to holding the actors behind them accountable for their schemes,” Bradley T. Smith, acting under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”

Of the more than 23,000 firewalls in the U.S. that were compromised during the April 22-25, 2020 attack, 36 guarded systems of critical infrastructure companies, Treasury said. One impacted U.S. operator was an energy company that was actively drilling during the incident; had the ransomware attack not been stopped, oil rigs could have broken down.

“If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life,” OFAC’s press release stated.

As part of Treasury’s sanctions, all transactions involving U.S. property and interests in U.S. property of Guan and Sichuan Silence are blocked and must be reported to OFAC. Additionally, transactions tied to any owned entities by Guan or the company — either directly, indirectly, individually or in the aggregate at more than 50% — are also blocked. Financial institutions or individuals that engage with those sanctioned parties in transactions “may expose themselves to sanctions or be subject to an enforcement action,” OFAC warned. 

According to the Treasury, Guan also faces a Department of Justice indictment for his role in the attack, while the State Department is offering an award of up to $10 million for information about him or Sichuan Silence.

The post Treasury sanctions Chinese cyber company, employee for 2020 global firewall attack appeared first on CyberScoop.