U.S. Sanctions China Cybersecurity Firm for Alleged Role in Critical Infrastructure Hacks
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a Beijing-based cybersecurity company, Integrity Technology Group, Incorporated (Integrity Tech), for its role in multiple computer intrusion incidents against U.S. victims. These incidents have been publicly attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group often targeting organizations within U.S. critical infrastructure sectors that has been active since at least 2021.
With actors continuing to target U.S. government systems as part of their efforts, including the recent targeting of Treasury’s own IT infrastructure, Chinese malicious cyber actors continue to be one of the most active and most persistent threats to U.S. national security. This is highlighted in the most recent Office of the Director of National Intelligence Annual Threat Assessment.
“The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses.”
On Sept. 18, 2024, the Federal Bureau of Investigation, published a joint cybersecurity advisory, in coordination with the Cyber National Mission Force, National Security Agency, and Five Eye partners that highlights the tactics, techniques, and procedures of Flax Typhoon, as well as Integrity Tech’s role in supporting its malicious cyber activities.
According to the U.S. Treasury, Flax Typhoon is a state-sponsored Chinese malicious cyber group that has been active since at least 2021, targeting organizations within U.S. critical infrastructure sectors. Flax Typhoon has compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. Flax Typhoon exploits publicly known vulnerabilities to gain initial access to victims’ computers and then leverages legitimate remote access software to maintain persistent control over their network. Flax Typhoon has targeted victims within a wide range of industries.
Between summer 2022 and fall 2023, Flax Typhoon actors accessed several hosts associated with U.S. and European entities. The actors maliciously used virtual private network software and remote desktop protocols to facilitate this access. In summer 2023, Flax Typhoon compromised multiple servers and workstations at a California-based entity.
