The Guan Tianfeng Case
The United States has indicted Chinese national Guan Tianfeng for orchestrating a massive cyberattack in 2020 that compromised approximately 81,000 Sophos firewall devices worldwide.
Guan, who also goes by gbigmao and gxiaomao, associated with Sichuan Silence Information Technology Company, is accused of exploiting a critical vulnerability to infiltrate these systems, exfiltrate sensitive data, and deploy malware.
The FBI had have offered
”a reward of up to $10 million for information on Guan Tianfeng, Sichuan Silence Technology Company Ltd., associated individuals or entities, or their malicious cyber activity.”
In response to these malicious activities, the U.S. Department of Justice charged Guan with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Concurrently, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) imposed sanctions on Sichuan Silence and Guan. The company is believed to operate as a cybersecurity contractor for Chinese intelligence agencies, providing tools for network exploitation and surveillance.
The Exploit: CVE-2020-12271
The vulnerability at the heart of this breach, identified as CVE-2020-12271, is a severe SQL injection flaw in Sophos XG Firewall devices with a CVSS score: 9.8, which for those of you who don’t know, is about as critical of a vulnerability as it gets.
This pre-authentication vulnerability allowed attackers to execute remote code on unpatched devices, leading to unauthorized access and data theft. Notably, the attack began just one day after the vulnerability was reported to Sophos by researchers linked to Sichuan Silence's Double Helix Research Institute, raising concerns about the timing and intent behind the disclosure.
According to Sophos, the timeline of the actual attack was as follows:
Modus Operandi: From Data Theft to Ransomware
Upon exploiting the vulnerability, the attackers deployed the Asnarök trojan to steal sensitive information, including usernames and hashed passwords of local user accounts.
To mask their activities, they registered deceptive domains resembling legitimate Sophos domains, such as sophosfirewallupdate[.]com. When victims attempted to remove the malware, the attackers escalated their tactics by deploying the Ragnarok ransomware variant, aiming to further damage the compromised systems.
According to the DOJ,
"Guan and his co-conspirators designed the malware to steal information from firewalls… To better hide their activity, Guan and his co-conspirators registered and used domains designed to look like they were controlled by Sophos, such as sophosfirewallupdate[.]com."
Using fake, but believable URLs for this sort of attack are nothing new, but in this particular case, it seemed to work, and unfortunately did fool a lot people.
Impact on Critical Infrastructure
The ramifications of this cyberattack were profound, especially for critical infrastructure. Among the compromised devices, 36 were protecting U.S. critical infrastructure companies' systems.
The U.S. Treasury Department highlighted that
“More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems. If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.”
Conclusion
This case serves as a reminder of the cat and mouse game that is cyber security, particularly those targeting critical infrastructure. It underscores the urgency of proactive cybersecurity measures, such as timely vulnerability management, and the necessity for global cooperation to hold bad actors accountable.
As the digital landscape grows increasingly interconnected, the ability to detect, prevent, and respond to such threats is more crucial than ever, ensuring that no vulnerability becomes an open gateway for malicious exploitation.