China Sanctions Hit: Sichuan Silence Accused of Ransomware Attacks (Sophos Zero-Day Exploited)


In a significant move, the U.S. Department of the Treasury has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of ransomware attacks targeting U.S. critical infrastructure and other victims worldwide. The attacks, which occurred in April 2020, utilized a zero-day vulnerability (CVE-2020-12271) in Sophos XG firewalls, putting countless businesses at risk.


The Actors:

  • Sichuan Silence: A Chengdu-based cybersecurity firm identified as a government contractor with ties to Chinese intelligence services. The company reportedly offers services like network exploitation, password cracking, and email monitoring.
  • Guan Tianfeng (GbigMao): A Sichuan Silence employee and security researcher who allegedly discovered the zero-day exploit used in the attacks.

The Attacks:

  • April 2020: Tianfeng exploited the Sophos XG firewall vulnerability to deploy malware to roughly 81,000 firewalls globally. The attackers aimed to steal data (usernames/passwords) and potentially infect systems with Ragnarok ransomware.
  • Targets: Over 23,000 compromised firewalls were located in the U.S., including critical infrastructure companies like an energy drilling firm. A successful ransomware attack could have had devastating consequences.

Government Response:

  • Treasury Department Sanctions: Sichuan Silence and Tianfeng were sanctioned, prohibiting U.S. entities from engaging with them and freezing any U.S.-based assets they may hold.
  • Department of Justice Indictment: The DOJ unsealed an indictment against Tianfeng.
  • State Department Reward: A $10 million reward was offered for information leading to the capture of Tianfeng or details about Sichuan Silence's activities.

Sophos Involvement:

  • Patching and Remediation: After detecting the attacks, Sophos released a patch to fix the vulnerability and removed the malicious scripts using a hotfix.
  • Dead Man Switch: The attackers implemented a "dead man switch" that could have triggered ransomware deployment upon firewall neutralization (fortunately, it was thwarted).
  • Sophos CISO Statement: Ross McKerchar, Sophos CISO, acknowledged a five-year operation targeting these Chinese attackers and expressed satisfaction with the recent sanctions and indictments.

Protecting Yourself from Similar Attacks:

  • Keep Software Updated: Regularly update your firewalls, operating systems, and other software to address security vulnerabilities.
  • Strong Passwords: Implement complex and unique passwords for all accounts.
  • Multi-Factor Authentication (MFA): Enable MFA wherever available to add an extra layer of security.
  • Regular Backups: Back up your data consistently to minimize potential ransomware damage.
  • Security Awareness Training: Train employees on cybersecurity best practices to identify and avoid phishing attempts and social engineering tactics.

Conclusion:

The U.S. government's sanctions against Sichuan Silence and Tianfeng send a strong message that cyberattacks targeting critical infrastructure will not be tolerated. By staying informed about the latest threats, implementing robust security measures, and remaining vigilant, businesses and individuals can significantly reduce their risk of falling victim to similar ransomware attacks.

Post a Comment

أحدث أقدم