His identify is Guan Tianfeng and in December 2024 the US State Division’s Rewards for Justice marketing campaign positioned a reward of as much as $10 million for anybody providing info on his whereabouts.
Guan Tianfeng, it’s alleged, masterminded an April 2020 assault on Sophos XG firewalls utilizing an exploit for a zero-day vulnerability later swiftly patched as CVE-2020-12271.
In keeping with the indictment, the boyish-looking Guan Tianfeng (aka ‘Gbigmao’) labored for a corporation known as Sichuan Silence. After discovering the flaw, he created the exploit and the worldwide server infrastructure essential to deploy it in an assault. Because the Division of Justice indictment said:
“In whole, Guan and his co-conspirators contaminated roughly 81,000 firewall units worldwide, together with a firewall gadget utilized by an company of the USA.”
Then, an necessary element: the incident additionally executed a ransomware assault utilizing the Ragnarok malware on any firewall homeowners that tried to counter the malware.
“The malware that exploited the vulnerability found by Guan was designed to steal info from contaminated computer systems and to encrypt information on them if a sufferer tried to remediate the an infection [by rebooting the firewall].”
So, the assault was an odd combination of knowledge/credential stealing with a nasty ‘useless man change’ sting within the tail as retribution for anybody who tried to dam what it was doing.
Nevertheless, essentially the most vital facet of the costs levelled at Guan Tianfeng was that he and the corporate behind it have been performing on behalf of China’s navy:
“Sichuan Silence is a Chengdu-based cybersecurity authorities contractor whose core purchasers are Folks’s Republic of China intelligence companies.”
Nation state ransomware
Ought to this be labeled as a ransomware assault? Virtually actually not. The ransomware appears to have been used as a secondary tactic, maybe to obscure its true origins or to tie defenders down coping with its results.
One might argue that it doesn’t matter whether or not the ransomware was the first or secondary a part of the payload. If an organization’s techniques are taken offline as a result of they’ve been encrypted, it is going to be skilled as a ransomware assault with the identical penalties.
The reason favored by the US authorities is that the assault was a nation state marketing campaign on behalf of the Chinese language state trying to compromise western organizations. The ransomware was merely a way to that finish.
Nation states utilizing ransomware on this direct method is uncommon, the potential exception being the occasional assault attributed to North Korea. That assault occurred practically 5 years in the past, which maybe makes it outdated information. As with different nation state assaults earlier than it, there is no such thing as a easy sanction that may convey a perpetrator to justice. One of the best the US has proper now could be the $10 million bounty, which marks Guan Tianfeng out as being close to the highest of the US authorities’ most wished listing.
What’s optimistic is that we get to listen to about these incidents in any respect, years after they’ve been forgotten. Blended nation state assaults part-masquerading as ransomware aren’t frequent however there is no such thing as a cause why that gained’t change sooner or later.
