U.S. Attorney Clifford D. Johnson | U.S. Department of Justice
A federal court in Hammond, Indiana, has unsealed an indictment against Guan Tianfeng, a Chinese national, for allegedly conspiring to hack firewall devices globally in 2020. Guan and his associates at Sichuan Silence Information Technology Co. Ltd. exploited a previously unknown vulnerability in firewalls sold by Sophos Ltd., a UK-based cybersecurity firm. The malware they developed was intended to steal information and encrypt files if victims attempted to fix the infection. Approximately 81,000 firewall devices were affected worldwide, including one used by a U.S. agency.
Deputy Attorney General Lisa Monaco stated, "The defendant and his co-conspirators exploited a vulnerability in tens of thousands of network security devices, infecting them with malware designed to steal information from victims around the world." Assistant Attorney General for National Security Matthew G. Olsen added that the Department of Justice is committed to holding accountable those who undermine global cybersecurity.
Assistant Director Bryan Vorndran of the FBI’s Cyber Division highlighted the importance of partnerships with private companies like Sophos in preventing further victimization. U.S. Attorney Clifford D. Johnson emphasized the risks posed by Guan's actions to computer networks across the United States.
Special Agent Herbert J. Stapleton noted that Sophos quickly identified and responded to the vulnerability, mitigating potential damage significantly.
The indictment alleges that Guan and his co-conspirators targeted approximately 81,000 Sophos firewalls using a zero-day vulnerability designated CVE-2020-12271. They registered domains resembling those controlled by Sophos to disguise their activities but were forced to modify their malware after Sophos intervened.
Guan worked for Sichuan Silence, which has ties with the PRC Ministry of Public Security and other organizations within China. The FBI continues its investigation into Sichuan Silence's hacking activities.
In October, Sophos published findings from its "Pacific Rim" investigation into advanced persistent threat groups targeting its products over several years. Following these announcements, the FBI called for information on similar intrusions.
The U.S. Department of State announced rewards for information leading to Guan or others engaged in malicious cyber activities against U.S infrastructure under foreign government direction. Sanctions have also been imposed on Sichuan Silence and Guan by the U.S Treasury’s Office of Foreign Assets Control.
Trial Attorneys Jacques Singer-Emery and George Brown are prosecuting alongside Assistant U.S Attorney Steven J Lupa for this case.
It is important to note that an indictment is merely an allegation; all defendants are presumed innocent until proven guilty beyond reasonable doubt in court.
