Reward in the millions: FBI seeks alleged developer of Sophos exploits
A group from China is said to have developed malicious code on Sophos firewalls and attacked thousands. This has now earned them an indictment and sanctions.
(Image: Timofeev Vladimir/Shutterstock.com)
A Chinese national is accused by the US of helping to develop exploits for security vulnerabilities in Sophos products. The 30-year-old is now wanted by the FBI, which will pay up to ten million US dollars for information leading to his capture. Together with other employees of a Chinese IT company, he is said to have attacked over 80,000 Sophos firewalls.
Tens of thousands of devices compromised
At the district court in the north of the US state of Indiana, the United States brought charges against Tianfeng G., who is said to work at "Sichuan Silence Technology Company Ltd.". According to the indictment, the company develops and sells exploits to various Chinese government institutions. Together with his accomplices, the suspect found a security vulnerability in Sophos devices (CVE-2020-12271), exploited it on over 81,000 devices worldwide and harvested data. The attackers also used ransomware.
Videos by heise
The aforementioned vulnerability, an SQL injection, allowed the attackers to execute arbitrary commands on Sophos devices and equip them with a backdoor. The malware, nicknamed "Asnarök", then stole access data and VPN information from the devices. The malware owes its mythological name to a domain that appeared during the attacks and was called "ragnarokfromasgard.com".
Tianfeng G. is the only suspect named in the indictment. It is possible that his name appeared in connection with the registration of several Sophos firewalls with the manufacturer, as the US court is now accusing him of procuring them in February 2020. The FBI is offering a reward of up to ten million US dollars (a good 9.5 million euros) for information about the suspects and the Chinese exploit forge.
The US government is also imposing economic sanctions: Both Tianfeng G. and the company "Sichuan Silence" have been on the US Treasury Department's SDN ("Specially Designated Nationals") list since December 10. This means that this person or organization has been classified as a threat to the national security, foreign policy or economy of the United States. As a consequence, the assets of these individuals or organizations are frozen in the US, and US citizens and many international companies are generally prohibited from doing business or interacting with them in any way.
On the edge of the Pacific
Sophos had been hunting down the developers of the "Asnarök" attack in a year-long game of cat-and-mouse and recently presented the results of its own investigation to the public under the code name "Pacific Rim". Although Sophos had identified the suspected developer of the exploit, it had not yet found any evidence of the collaboration with the actual attackers now being postulated by the US authorities. The British manufacturer's approach of equipping its own devices with espionage functions was also met with criticism. heise-security boss Jürgen Schmidt, for example, stated in a commentary:"This is normally called malware".
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Podcast (Podigee GmbH) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Podigee GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
The latest episode of the heise-security podcast "Password", published on December 11, 2024, also discusses the "Hackback to China". The hosts – c't editor Sylvester Tremmel and the author of this report – trace and categorize the Sophos research. However, the sanctions that have now been imposed came too late for the podcast episode recorded a few weeks ago.
(cku)
