The US Department of Justice (DoJ) unveiled charges against a Chinese national accused of exploiting a zero-day vulnerability to hack tens of thousands of Sophos firewall devices worldwide. Guan Tianfeng, known online as ‘gbigmao’ and ‘gxiaomao,’ is alleged to have orchestrated the attack while working for Sichuan Silence Information Technology Company, Limited.

Guan faces charges of conspiracy to commit computer fraud and conspiracy to commit wire fraud. The indictment accuses him of developing and deploying malware that targeted Sophos firewalls in 2020, exploiting a then-unknown zero-day vulnerability tracked as CVE-2020-12271, an SQL injection flaw that enables attackers to achieve remote code execution on vulnerable devices.

The DoJ alleges that Guan and his co-conspirators used the vulnerability to compromise approximately 81,000 Sophos firewalls globally. The attacks involved the malware designed to steal sensitive information from compromised devices while masking its activities through the use of spoofed domains disguised as legitimate Sophos resources.

Sophos detected the intrusion and mitigated the impact within two days. However, the rapid response prompted the attackers to modify their malware. The revised malware included a failsafe to deploy encryption software from a ransomware variant if victims attempted to remove the malicious code. These encryption efforts, however, were unsuccessful.

The indictment says that Guan worked for Sichuan Silence, a private Chinese company with ties to the Ministry of Public Security and other state organizations in China. Sichuan Silence’s website advertises its ability to scan overseas networks for intelligence gathering—a capability Guan allegedly leveraged in the Sophos attack.

The company and Guan have now been sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). According to officials, Sichuan Silence’s activities align with China’s broader strategy of leveraging private entities for state-sponsored cyber operations.

In a parallel announcement, the US Department of State offered a reward of up to $10 million for information leading to Guan's capture or the identification of others acting under the direction of foreign governments to attack US critical infrastructure.