His name is Guan Tianfeng and in December 2024 the US State Department’s Rewards for Justice campaign placed a reward of up to $10 million for anyone offering information on his whereabouts.
Guan Tianfeng, it is alleged, masterminded an April 2020 attack on Sophos XG firewalls using an exploit for a zero-day vulnerability later hastily patched as CVE-2020-12271.
According to the indictment, the boyish-looking Guan Tianfeng (aka ‘Gbigmao’) worked for a company called Sichuan Silence. After discovering the flaw, he created the exploit and the global server infrastructure necessary to deploy it in an attack. As the Department of Justice indictment stated:
“In total, Guan and his co-conspirators infected approximately 81,000 firewall devices worldwide, including a firewall device used by an agency of the United States.”
Then, an important detail: the incident also executed a ransomware attack using the Ragnarok malware on any firewall owners that attempted to counter the malware.
“The malware that exploited the vulnerability discovered by Guan was designed to steal information from infected computers and to encrypt files on them if a victim attempted to remediate the infection [by rebooting the firewall].”
So, the attack was an odd mixture of data/credential stealing with a nasty ‘dead man switch’ sting in the tail as retribution for anyone who tried to block what it was doing.
However, the most significant aspect of the charges levelled at Guan Tianfeng was that he and the company behind it were acting on behalf of China’s military:
“Sichuan Silence is a Chengdu-based cybersecurity government contractor whose core clients are People’s Republic of China intelligence services.”
Nation state ransomware
Should this be classified as a ransomware attack? Almost certainly not. The ransomware seems to have been used as a secondary tactic, perhaps to obscure its true origins or to tie defenders down dealing with its effects.
One could argue that it doesn’t matter whether the ransomware was the primary or secondary part of the payload. If a company’s systems are taken offline because they have been encrypted, it will be experienced as a ransomware attack with the same consequences.
The explanation favored by the US authorities is that the attack was a nation state campaign on behalf of the Chinese state looking to compromise western organizations. The ransomware was simply a means to that end.
Nation states using ransomware in this direct way is rare, the possible exception being the occasional attack attributed to North Korea. That attack happened nearly five years ago, which perhaps makes it old news. As with other nation state attacks before it, there is no simple sanction that can bring a perpetrator to justice. The best the US has right now is the $10 million bounty, which marks Guan Tianfeng out as being near the top of the US authorities’ most wanted list.
What’s positive is that we get to hear about these incidents at all, years after they’ve been forgotten. Blended nation state attacks part-masquerading as ransomware aren’t common but there is no reason why that won’t change in the future.
