Treasury sanctions Chinese cybersecurity company over 2020 cyber attack

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Chinese cybersecurity company and one of its employees in relation to an April 2020 firewall incident.

© Shutterstock

The sanctions are against Sichuan Silence Information Technology Company and one of its employees, Guan Tianfeng for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were U.S. critical infrastructure companies.

“Today’s action underscores our commitment to exposing these malicious cyber activities—many of which pose significant risk to our communities and our citizens—and to holding the actors behind them accountable for their schemes,” Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley Smith said. “Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to leverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”

OFAQC alleges that in April 2020, Guan Tianfeng discovered a zero-day exploit in a firewall product, which is a previously unknown vulnerability in a computer software or hardware product that can be used in a cyberattack.

Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide. The purpose, said OFAC, was to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the Ragnarok ransomware variant. This ransomware disables anti-virus software and encrypts the computers on a victim’s network if they attempt to remedy the compromise.

More than 23,000 of the compromised firewalls were located in the United States while 36 of them were protecting U.S. critical infrastructure companies’ systems. If any of these victims had failed to patch their systems to mitigate the exploit, OFAC said the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life.

One victim was a U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, it could have caused oil rigs to malfunction potentially causing a significant loss in human life.

As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or the control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.

In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.