The US government on Tuesday announced charges and sanctions against a Chinese national accused of being involved in the hacker attacks targeting Sophos firewalls.

The attacks, which Sophos tracked over a period of five years, involved the exploitation of zero-day vulnerabilities in the security firm’s firewalls in an effort to plant backdoors and steal sensitive data from organizations. 

The campaign, linked to Chinese state-sponsored threat actors, resulted in roughly 81,000 firewall devices located around the world getting compromised, according to the US government, which noted that the list of hacked firewalls included devices used by one of its agencies. 

On Tuesday, the Department of Justice announced charges against a Chinese national named Guan Tianfeng (aka GBigMao) over the Sophos firewall attacks and the use of zero-days. The DoJ’s announcement specifically mentions the exploitation of a zero-day tracked as CVE-2020-12271.

Investigators determined that the attacks were carried out by Guan and others working for a Chinese company named Sichuan Silence Information Technology. 

Sichuan Silence is a private company that has allegedly provided services to China’s Ministry of Public Security, as well as other local organizations. Its website says the firm has developed a “product line which could be used to scan and detect overseas network targets in order to obtain valuable intelligence information”. 

In addition to the charges against Guan, the US government, specifically the Treasury Department, on Tuesday announced sanctions against the man and Sichuan Silence.

The Department of State is offering rewards of up to $10 million for information leading to the identification or location of Guan, and the FBI has added him to its Cyber’s Most Wanted list. 

The announcements made by the US government are not surprising. In late October, Sophos revealed that it had developed and used custom implants to surveil the hackers who had been targeting its products. In early November, the FBI asked the public for help in identifying the hackers behind the Sophos campaign.

“[…] We were able to link much of the attackers’ exploit research and development to the Sichuan region of China, specifically, the Sichuan Silence Information Technology’s Double Helix Research Institute,” Ross McKerchar, CISO at Sophos, told SecurityWeek in emailed comments. 

“In addition, after neutralizing a wave of attacks we named Asnarok, we uncovered links between the attacks and a person who went by the moniker GBigMao. Today, we are pleased that the Department of Justice has unsealed its indictment of Gbigmao, aka Guan Tianfeng, and the Treasury has sanctioned Sichuan Silence. This is a positive step towards disrupting these attackers’ operation,” McKerchar added.

Related: NCSC Details ‘Pygmy Goat’ Backdoor Planted on Hacked Sophos Firewall Devices

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: 2,000 Palo Alto Firewalls Compromised via New Vulnerabilities