A federal court in Hammond, Indiana, has unsealed an indictment charging Guan Tianfeng, a citizen of the People's Republic of China, with conspiring to hack into firewall devices worldwide. Guan and his co-conspirators are accused of working from Sichuan Silence Information Technology Co. Ltd., exploiting a previously unknown vulnerability in firewalls sold by U.K.-based Sophos Ltd. The malware they developed was designed to steal information and encrypt files on infected computers.
Deputy Attorney General Lisa Monaco stated, "The defendant and his co-conspirators exploited a vulnerability in tens of thousands of network security devices, infecting them with malware designed to steal information from victims around the world." She emphasized the Justice Department's commitment to holding malicious cyber actors accountable.
Assistant Attorney General for National Security Matthew G. Olsen remarked on the compromised firewalls: "The Department of Justice will hold accountable those who contribute to the dangerous ecosystem of China-based enabling companies that carry out indiscriminate hacks."
FBI Assistant Director Bryan Vorndran highlighted law enforcement actions that prevented further victimization: "Our law enforcement actions, technical expertise, and enduring partnerships with private companies, like Sophos, demonstrate the reputation of the FBI as being a reliable and effective partner for stopping this malicious activity."
U.S. Attorney Clifford D. Johnson for the Northern District of Indiana added, "Guan Tianfeng and his co-conspirators placed thousands of computer networks at risk by conducting this attack."
Special Agent in Charge Herbert J. Stapleton praised Sophos's rapid response: "If Sophos had not rapidly identified the vulnerability and deployed a comprehensive response, the damage could have been far more severe."
The indictment details how Guan and his associates targeted approximately 81,000 Sophos firewalls using a 0-day vulnerability later designated CVE-2020-12271. They attempted to disguise their activities by registering domains resembling those controlled by Sophos.
Court documents reveal that Guan worked for Sichuan Silence, which has ties to PRC government organizations such as the Ministry of Public Security. Following revelations by Sophos about long-running investigations into PRC-based threat groups targeting its appliances, the FBI issued calls for information regarding these intrusions.
In addition to legal proceedings against Guan, sanctions were announced against him and Sichuan Silence by U.S. authorities. The U.S. Department of State also offered rewards for information leading to their identification or location related to malicious cyber activities against U.S infrastructure.
The case is prosecuted by Trial Attorneys Jacques Singer-Emery and George Brown along with Assistant U.S. Attorney Steven J. Lupa.
An indictment remains an allegation until proven guilty beyond reasonable doubt in court.