US Sanctions Chinese Firm for Exploiting Firewall Vulnerability in Ragnarok Ransomware Attacks

The U.S. Treasury Department has imposed sanctions on Chinese cybersecurity firm Sichuan Silence and one of its employees, Guan Tianfeng, for their role in the April 2020 Ragnarok ransomware attacks targeting U.S. critical infrastructure and thousands of global victims.  

According to the Department's Office of Foreign Assets Control (OFAC), Sichuan Silence, a Chengdu-based contractor for Chinese intelligence, specializes in activities such as network exploitation and public sentiment suppression, Bleeping Computer reports.

OFAC revealed that Guan, known as "GBigMao," discovered a zero-day vulnerability (CVE-2020-12271) in Sophos XG firewalls, which was exploited to compromise approximately 81,000 firewalls worldwide, including over 23,000 in the U.S.  

The goal was to steal data and deploy Ragnarok ransomware, with 36 of the breached firewalls protecting U.S. critical infrastructure. A U.S. energy company was among the targets, and the attack’s disruption averted potentially catastrophic consequences.

The Department of Justice (DOJ) unsealed an indictment against Guan, while the State Department offered a reward of up to $10 million for information on him or Sichuan Silence.  

A DOJ press release confirmed, “The attackers leveraged a zero-day SQL injection vulnerability to infiltrate systems, deploying malware and exfiltrating sensitive data.”

Sophos, whose XG firewalls were exploited, neutralized the attack with a hotfix but identified a ‘dead man switch’ mechanism intended to launch ransomware across victim networks.  

Beyond cybersecurity attacks, Sichuan Silence has a history of disinformation campaigns. Meta dismantled networks tied to the group in 2021, accusing it of spreading COVID-related misinformation.  

The sanctions freeze U.S.-based assets linked to Sichuan Silence and prohibit American entities from engaging with them, marking a significant effort to disrupt their operations.

Takeaway: Chinese cyber operations highlight a troubling intersection of cybercriminal and state-sponsored operations, blurring the lines between financially motivated attacks and geopolitically strategic campaigns.  

Recent U.S. sanctions against Sichuan Silence and revelations about Chinese Advanced Persistent Threat (APT) groups, such as Volt Typhoon and Salt Typhoon, underscore how Chinese-linked entities exploit this ambiguity to further both financial and national objectives.

The U.S. Treasury’s designation of Sichuan Silence for deploying Ragnarok ransomware exemplifies this dual-purpose strategy. Ostensibly, the operation appears to be cybercrime—stealing data, deploying ransomware, and reaping financial rewards.  

However, the simultaneous targeting of critical U.S. infrastructure suggests a broader objective: testing vulnerabilities in systems vital to national security. This mirrors FBI Director Christopher Wray’s stark warning that Chinese actors have “burrowed into U.S. critical infrastructure” and could strike in conjunction with larger military operations.

China’s use of ransomware groups as proxies leverages plausible deniability. Operations like Volt Typhoon, targeting telecommunications, energy, and water sectors, have been dismissed by Chinese officials as the work of independent cybercriminals.  

Yet, evidence suggests these groups often share tools, infrastructure, and intelligence with state-directed teams. For example, the exploitation of a Sophos firewall vulnerability by Sichuan Silence aligns closely with techniques used by nation-state actors, hinting at coordination.

The targeting of U.S. telecom networks by Salt Typhoon further demonstrates this strategy. By breaching critical infrastructure, including Cisco routers, the group gained access to sensitive data from both political and corporate leaders, fueling intelligence-gathering efforts.

As previously reported, devices used by prominent U.S. politicians were compromised, illustrating the geopolitical value of these operations. Such breaches not only yield immediate intelligence but also enable long-term strategic advantages, including influencing geopolitical outcomes.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.