The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency.
“People’s Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as sensitive U.S. critical infrastructure,” the Treasury said in a press release.
The sanctions target Yin Kecheng, who is assessed to have been a cyber actor for over a decade and affiliated with China’s Ministry of State Security (MSS). Kecheng, per the Treasury, was associated with the breach of its own network that came to light earlier this month.
The incident involved a hack of BeyondTrust’s systems that allowed the threat actors to infiltrate some of the company’s Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key. The activity has been attributed to a nation-state group named Silk Typhoon (formerly Hafnium), which was linked to the then zero-day exploitation of multiple security flaws (aka ProxyLogon) in Microsoft Exchange Server in early 2021.
According to a recent report from Bloomberg, the attackers are said to have broken into no less than 400 computers belonging to the Treasury and stole over 3,000 files, including policy and travel documents, organizational charts, material on sanctions and foreign investment, and ‘Law Enforcement Sensitive’ data.
They also gained unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as material on investigations run by the Committee on Foreign Investment in the U.S., the report added.
It’s believed that Silk Typhoon overlaps with a cluster tracked by Google-owned Mandiant under the moniker UNC5221, a China-nexus espionage actor known for its extensive weaponization of Ivanti zero-day vulnerabilities. The Hacker News has reached out to Mandiant for further comment, and we will update the story if we hear back.
The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a Sichuan-based cybersecurity company that the Treasury said was directly involved in a series of cyber attacks aimed at major U.S. telecommunication and internet service provider companies in the country.
The activity has been associated with a different Chinese hacking group named Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). The threat actor is estimated to be active since at least 2019.
“The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe,” the Treasury said.
Separately, the Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information that could lead to the identification or location of any individuals who are acting at the direction or under the control of a foreign state-sponsored adversary and engage in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,” Adeyemo said in a statement.
The attacks on U.S. telecom service providers has since prompted the Federal Communications Commission (FCC) to issue new rules requiring companies operating in the sector to secure their networks from unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described the hacks as “one of the largest intelligence compromises ever seen.”
“That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyber attacks,” the FCC said.
Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said “China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure.”
Easterly also revealed that Salt Typhoon was first detected on federal networks, much before the cyber espionage group burrowed into the networks of AT&T, Lumen Technologies, T-Mobile, Verizon, and other providers.
The designations are just the latest in a long list of moves made by the Treasury in a bid to combat malicious cyber activity by Chinese threat actors. Previously sanctioned by the agency are three other companies, Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31).