Indictment Issued Following Investigation into Sophos Pirate Activities

Sophos has made significant progress in identifying a Chinese hacker named Guan Tianfeng, who allegedly led a series of cyberattacks from 2018 to 2020, affecting around 81,000 firewalls worldwide. An indictment reveals he exploited a zero-day vulnerability to access sensitive data and employed self-defending malware. The U.S. justice system has connected his employer to Chinese espionage efforts. Meanwhile, Ivanti has discovered a new critical vulnerability in its Cloud Services Appliance, marking an ongoing cybersecurity threat landscape.

Cybersecurity Breakthrough: Sophos Targets Hackers

The cybersecurity firm Sophos is making significant strides in identifying the hackers who attempted to breach its defenses. After an extensive five-year investigation, the U.S. justice system has stepped in, revealing an indictment against a mysterious Chinese hacker named Guan Tianfeng.

This individual is now the subject of a staggering $10 million reward. Guan Tianfeng allegedly orchestrated a series of hacks from July 2018 to May 2020, collaborating with others to infiltrate the firewalls of the British company and siphon off sensitive data from targeted devices. The attack’s scale is alarming, impacting approximately 81,000 firewalls globally, including software utilized by a U.S. agency. It remains unclear if any organizations in France were compromised in this operation.

Technical Intricacies of the Attack

The indictment outlines that the suspect purportedly created intrusion software that took advantage of a serious zero-day vulnerability, discovered in 2020 (CVE 2020-12271). This SQL injection flaw opened the door to access hashed usernames and passwords belonging to local device administrators, portal administrators, and user accounts designated for remote access.

Disguised behind domain names that appeared to be associated with Sophos, such as sophosfirewallupdate.com, the malware was engineered to defend itself. If any attempts were made to remove the malicious software, it would deploy Ragnarok ransomware, potentially as a method to erase its tracks.

The U.S. justice system has also implicated Guan Tianfeng’s employer, Sichuan Silence Information Technology, which is believed to have ties to the Chinese Ministry of Public Security. According to the FBI, this company serves as one of the arms of Chinese espionage, creating products capable of scanning and identifying foreign network targets to harvest valuable intelligence.

Sophos reported that its investigation commenced with an attack identified in December 2018 against one of its subsidiaries in India. The sophisticated nature of the attack caught the attention of the company’s analysts, who named the rootkit involved CloudSnooper. In an effort to trace the hackers, Sophos enhanced its firewalls to gather more data from its clients’ devices.

The ongoing battle between cybersecurity firms and hackers has intensified, with Sophos noting a level of commitment to malicious activities not commonly seen in its nearly forty years of operation. Ultimately, the cybersecurity firm has linked the attackers to state-sponsored hacker groups from China.

As highlighted by Sophos, its firewalls are far from the only targets. The French National Cybersecurity Agency (ANSSI) has also raised concerns this autumn regarding attacks on security equipment, making it a prime objective for cybercriminals.

In a related development, Ivanti has recently uncovered a new critical vulnerability in its Cloud Services Appliance, a device that facilitates secure communications. Rated at the highest severity level, this marks the sixth critical vulnerability identified within just four months. Fortunately, the company has confirmed that this vulnerability has yet to be exploited, but the situation remains fluid.

Related Articles