The U.S. Treasury Department sanctioned Chinese cybersecurity company SichuanSilence and one of its employees for their role in a series of Ragnarok ransomware attacks in April 2020 that targeted U.S. critical infrastructure companies and numerous other victims around the world.
According to the U.S. Department of State’s Office of Foreign Assets Control (OFAC), Sichuan Silent Information Technology Co., Ltd. is a Chengdu-based cybersecurity government contractor (recently reported by the NattoThoughts team) that provides products and services to core customers including Chinese intelligence agencies.
The company's services include computer network development, brute force password cracking, email monitoring and suppressing public sentiment.
OFAC said the zero-day vulnerability used in the April 2020 campaign was discovered in an unnamed firewall product by security researcher Guan Tianfeng (aka GbigMao), an employee of Sichuan Silent Information Technology Co., Ltd.
Today's press release revealed: "Between April 22 and 25, 2020, GuanTianfeng exploited this zero-day vulnerability to deploy malware on approximately 81,000 firewalls owned by thousands of enterprises around the world. The purpose of the vulnerability was to exploit compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect victims' systems with a Ragnarok ransomware variant."
Of all the compromised devices, more than 2,000 of the compromised firewalls were located in the United States, with 36 of them protecting the networks of U.S. critical infrastructure companies.
On Tuesday, the U.S. Department of Justice (DOJ) also announced an indictment against Guan, and the U.S. State Department announced a reward of up to $10 million through the "Rewards for Justice" program to anyone who provides information about Sichuan Silence or Guan.
The U.S. Department of State and Justice confirmed that the April 2020 Ragnarok ransomware campaign exploited a zero-day SQL injection vulnerability (CVE-2020-12271) in the SophosXG firewall.
The State Department said: "In 2020, Chinese citizen Guan Tianfeng and other employees of Sichuan Silent Information Technology Co., Ltd. developed and tested intrusion techniques and then deployed malware that exploited zero-day vulnerabilities in certain firewalls sold by British cybersecurity company Sophos Ltd. They deployed malware globally that allowed unauthorized access to certain Sophos firewalls, caused damage to the firewalls, and allowed them to retrieve and exfiltrate data from the firewalls themselves and from computers behind those firewalls."
The attackers initially exploited a zero-day vulnerability to gain remote code execution on the SophosXG firewall and installed ELF binaries and scripts that were part of a malicious toolkit called the Asnarök Trojan.
After Sophos detected the attack, it patched the device and used a hotfix to remove the malicious script. However, the threat actor activated a "dead man's switch" that triggered the Ragnarok ransomware attack on Windows machines in the victim's network.
As a result of today's sanctions, U.S. organizations and citizens are prohibited from transacting with this entity and individual. In addition, any U.S. assets associated with them will be frozen, and U.S. financial institutions or foreign entities that conduct transactions with them will also face penalties.
In November 2021, Meta Company dismantled two hacker networks, including 524 Facebook accounts and 86 Instagram accounts related to Sichuan Silent Company. Meta said at the time that the accounts were used to conduct COVID-19 related propaganda campaigns targeting English-speaking users in the United States and the United Kingdom, as well as Chinese-speaking users in Taiwan, Hong Kong, and Tibet.