{
	"id": "d02f1b4c-080f-4b85-b3b2-7abe48eaf7ef",
	"created_at": "2026-04-06T00:18:56.656357Z",
	"updated_at": "2026-04-10T03:35:29.155023Z",
	"deleted_at": null,
	"sha1_hash": "4a1a714b99efb30794e4e379e909014f27019370",
	"title": "Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42784,
	"plain_text": "Treasury Sanctions Cybersecurity Company Involved in\r\nCompromise of Firewall Products and Attempted Ransomware\r\nAttacks\r\nPublished: 2026-02-13 · Archived: 2026-04-05 23:11:06 UTC\r\nWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is\r\nsanctioning cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan\r\nSilence), and one of its employees, Guan Tianfeng (Guan), both based in People’s Republic of China (PRC), for\r\ntheir roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were\r\nU.S. critical infrastructure companies. \r\nMalicious cyber actors, including those operating in China, continue to be one of the greatest and most persistent\r\nthreats to U.S. national security, as highlighted in the 2024 Annual Threat Assessment released by the Office of\r\nthe Director of National Intelligence.\r\n“Today’s action underscores our commitment to exposing these malicious cyber activities—many of which pose\r\nsignificant risk to our communities and our citizens—and to holding the actors behind them accountable for their\r\nschemes,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.\r\n“Treasury, as part of the U.S. government’s coordinated approach to addressing cyber threats, will continue to\r\nleverage our tools to disrupt attempts by malicious cyber actors to undermine our critical infrastructure.”\r\nToday, the Department of Justice (DOJ) unsealed an indictment on Guan for the same activity. Additionally, the\r\nU.S. Department of State announced a Rewards for Justice reward offer of up to $10 million for information about\r\nSichuan Silence or Guan.\r\nApril 2020 Firewall compromise\r\nGuan Tianfeng discovered a zero-day exploit in a firewall product. A zero-day exploit is a previously unknown\r\nvulnerability in a computer software or hardware product that can be used in a cyberattack. Between April 22 and\r\n25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned\r\nby thousands of businesses worldwide. The purpose of the exploit was to use the compromised firewalls to steal\r\ndata, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the\r\nRagnarok ransomware variant. This ransomware disables anti-virus software and encrypts the computers on a\r\nvictim’s network if they attempt to remedy the compromise. \r\nMore than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting\r\nU.S. critical infrastructure companies’ systems. If any of these victims had failed to patch their systems to mitigate\r\nthe exploit, or cybersecurity measures had not identified and quickly remedied the intrusion, the potential impact\r\nof the Ragnarok ransomware attack could have resulted in serious injury or the loss of human life. One victim was\r\na U.S. energy company that was actively involved in drilling operations at the time of the compromise. If this\r\nhttps://home.treasury.gov/news/press-releases/jy2742\r\nPage 1 of 3\n\ncompromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to\r\nmalfunction potentially causing a significant loss in human life.\r\nGuan Tianfeng and sichuan silence\r\nGuan is a Chinese national and was a security researcher at Sichuan Silence at the time of the compromise. Guan\r\ncompeted on behalf of Sichuan Silence in cybersecurity tournaments and posted recently discovered zero-day\r\nexploits on vulnerability and exploit forums, including under his moniker GbigMao. Guan was responsible for the\r\nApril 2020 firewall compromise.\r\nSichuan Silence is a Chengdu-based cybersecurity government contractor whose core clients are PRC intelligence\r\nservices. Sichuan Silence provides these clients with computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services. Additionally, Sichuan Silence\r\nprovides these clients with equipment designed to probe and exploit target network routers. A pre-positioning\r\ndevice used by Guan in the April 2020 firewall compromise was in fact owned by his employer, Sichuan Silence.\r\nOFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O.\r\n13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled\r\nactivities originating from, or directed by persons located, in whole or in substantial part, outside the United States\r\nthat are reasonably likely to result in, or have materially contributed to, a significant threat to the national security,\r\nforeign policy, or economic health or financial stability of the United States and that have the purpose or effect of\r\nharming, or otherwise significantly compromising the provision of services by, a computer or network of\r\ncomputers that support one or more entities in a critical infrastructure sector. \r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, all property and interests in property of the designated persons described above that\r\nare in the United States or in the possession or the control of U.S. persons are blocked and must be reported to\r\nOFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent\r\nor more by one or more blocked persons are also blocked. Unless authorized by a general or specific license\r\nissued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or\r\ntransiting) the United States that involve any property or interests in property of designated or otherwise blocked\r\npersons. \r\nIn addition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.\r\nThe prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the\r\nbenefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from\r\nany such person. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe Specially Designated Nationals and Blocked Persons (SDN) List, but also from its willingness to remove\r\npersons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring\r\nabout a positive change in behavior. For information concerning the process for seeking removal from an OFAC\r\nhttps://home.treasury.gov/news/press-releases/jy2742\r\nPage 2 of 3\n\nlist, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information\r\non the process to submit a request for removal from an OFAC sanctions list, please click here.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2742\r\nhttps://home.treasury.gov/news/press-releases/jy2742\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy2742"
	],
	"report_names": [
		"jy2742"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434736,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a1a714b99efb30794e4e379e909014f27019370.pdf",
		"text": "https://archive.orkl.eu/4a1a714b99efb30794e4e379e909014f27019370.txt",
		"img": "https://archive.orkl.eu/4a1a714b99efb30794e4e379e909014f27019370.jpg"
	}
}