A cybersecurity firm in China and a Chinese national face sanctions and criminal charges for hacking into some 81,000 firewall devices around the world and obtaining information for Beijing’s intelligence services, federal authorities announced on Tuesday.
The federal indictment identified the Chinese hacker as Guan Tianfeng, who along with others working for the Sichuan Silence Information Technology Co. Ltd., broke into computers in the U.S. and other countries in 2020, according to the Justice Department indictment unsealed Tuesday in Indiana.
The charges include conspiracy to commit computer fraud and conspiracy to commit wire fraud.
The State and Treasury departments announced at the same time new economic sanctions on Mr. Guan and the Sichuan-based information security company, which has been linked in the past to fake accounts on Facebook. The State Department announced it is offering a $10 million bounty for information on both the company and the hacker.
Treasury’s Office of Foreign Assets Control said it is sanctioning Sichuan Silence and Mr. Guan — both based in China — for breaking into networks of a large number of U.S. companies, including those in charge of critical infrastructure such as energy production, electric grids, communications and financial networks.
The hackers also used ransomware attacks – encrypting information on compromised networks and seeking payments in exchange for releasing the data. The attacks involved a variant of a malicious software called Ragnarok, the Treasury and Justice Departments disclosed in a statement and an unsealed indictment.
Of the 81,000 infected networks, more than 23,000 systems were in the U.S. and 36 involved breaches of firewalls used to protect U.S. critical infrastructure firms, Treasury said.
“If any of these victims had failed to patch their systems to mitigate the exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact of the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life,” the Treasury statement said, adding that one victim was “a U.S. energy company that was actively involved in drilling operations at the time of the compromise.”
That hack, if left undetected, could have caused oil rigs to malfunction, potentially causing significant loss of life, the Treasury statement said.
The Treasury Department said Mr. Guan specialized in identifying and posting undetected “zero-day” exploits online under the code name GbigMao, while Sichuan Silence’s “core clients” were Chinese intelligence agencies.
At the State Department, spokesman Matthew Miller announced new sanctions against Sichuan Silence and Mr. Guan for compromising tens of thousands of computers including “firewalls at U.S. critical infrastructure companies.”
“Guan’s deployment of malware to U.S. critical infrastructure companies in April 2020 put American lives at risk,” Mr. Miller said.
Sichuan Silence, in addition to targeting foreign computer networks, provided its clients with equipment that can probe and exploit network routers, the Treasury Department said in its statement.
The sanctions are largely symbolic, freezing all property of Sichuan Silence and Mr. Guan in the United States and prohibiting U.S. financial transactions with the company and Mr. Guan.
Sichuan Silence also was mentioned by Meta, the corporate parent of Facebook, in a 2021 security report. The company said in blocking a Chinese network of fraudulent accounts that 524 Facebook accounts were removed.
“We began looking into this activity after reviewing public reporting about the single fake account at the center of this operation,” the report said. “Our investigation found links to individuals in mainland China, including employees of Sichuan Silence Information Technology Co, Ltd (an information security firm) and individuals associated with Chinese state infrastructure companies based around the world.”
According to federal investigators, the Chinese hacking operation planted malicious software through “zero day” vulnerabilities — undisclosed software flaws that allow remote access to computer networks. The specific zero day attack involved a widely used firewall product sold by the British company Sophos Ltd.
At least one U.S. government agency was victimized by the Chinese hackers, the Justice Department said in a statement.
In addition to stealing information from targeted computer networks, the Chinese hackers were able to encrypt all files on the victim networks if security officials attempted to counter the attacks as part of a ransomware attack, the statement said.
The operation was carried out between July 2018 and May 2020 and the company worked for multiple Chinese government agencies, including the Ministry of Public Security, a national police and intelligence service, and the National Computer Network Emergency Response Technical Team/Coordination Center of China.
Sichuan Silence states on its webpage that its services include scanning and detecting overseas network targets for intelligence gathering.
“Today’s indictment underscores our commitment to protecting the public from malicious actors who use security research as a cover to identify vulnerabilities in widely used systems and exploit them,” said Clifford D. Johnson, U.S. Attorney for the Northern District of Indiana. “Guan Tianfeng and his co-conspirators placed thousands of computer networks, including a network in the Northern District of Indiana, at risk by conducting this attack.”
• Bill Gertz can be reached at bgertz@washingtontimes.com.
Please read our comment policy before commenting.