U.S. Treasury sanctions Chinese cybersecurity firm over critical infrastructure cyberattack
The U.S. Treasury sanctioned Sichuan Silence and researcher Guan Tianfeng for a 2020 cyberattack compromising 81,000 firewalls globally, including U.S. critical infrastructure. The attack used a zero-day exploit to steal data and attempt ransomware deployment, posing serious national security risks.
WASHINGTON, Dec. 10, 2024 — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions today against Sichuan Silence Information Technology Company, Limited, and one of its employees, Guan Tianfeng, for their involvement in a 2020 cyberattack that exploited global firewall vulnerabilities. The attack compromised tens of thousands of firewalls worldwide, including those safeguarding U.S. critical infrastructure. The sanctions follow an investigation into the use of a zero-day exploit by Guan, a security researcher at the Chengdu-based firm.
In April 2020, Guan deployed malware across approximately 81,000 firewalls, stealing data and attempting to launch ransomware attacks using the Ragnarok variant, which could have caused catastrophic damage, especially to critical U.S. energy operations.
“Today’s action underscores our commitment to exposing and countering malicious cyber activities that threaten our national security and infrastructure,” said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence. “Treasury, in coordination with other federal agencies, is leveraging tools to hold these actors accountable.”
The U.S. Department of Justice unsealed an indictment against Guan, while the Department of State has offered a reward of up to $10 million for information on Sichuan Silence or Guan under the Rewards for Justice program.
The cyberattack, conducted between April 22-25, 2020, involved the exploitation of a previously unknown software vulnerability, or zero-day exploit, in firewall products. Guan used this vulnerability to deploy malware and attempted to install Ragnarok ransomware, which disables antivirus software and encrypts victim systems. Over 23,000 U.S.-based firewalls were affected, including 36 protecting critical infrastructure.
The attack posed severe risks to public safety. One target, an energy company engaged in active drilling operations, could have experienced potentially fatal accidents if its systems had been compromised.
Sichuan Silence, a government contractor specializing in cybersecurity tools for Chinese intelligence agencies, is accused of providing resources and support for Guan’s operations. The company offers a range of offensive cyber capabilities, including router exploitation tools. The pre-positioning device used in the 2020 attack belonged to the company.
OFAC sanctioned both the company and Guan under Executive Order 13694, amended by E.O. 13757, for engaging in cyber-enabled activities posing a significant threat to U.S. national security. Sanctions block their U.S.-based assets and prohibit U.S. entities from transacting with them.
The sanctions require all U.S. persons and entities to block property and interests belonging to Sichuan Silence and Guan. Financial institutions engaging in transactions with these entities risk enforcement actions.
