The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged involvement in cyber activities linked to the Salt Typhoon group and the recent compromise of a federal agency’s systems. This move comes amid growing concerns over malicious cyber activities targeting U.S. government networks and critical infrastructure.
Targeting U.S. Government Systems
"People’s Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as sensitive U.S. critical infrastructure," the Treasury said in a press release.
The sanctions specifically target Yin Kecheng, identified as a cyber actor with over a decade of experience and affiliations with China’s Ministry of State Security (MSS). According to the Treasury, Kecheng was directly associated with the breach of its network, which was revealed earlier this month.
Details of the Breach
The breach involved an attack on BeyondTrust’s systems, enabling threat actors to infiltrate some of the company’s Remote Support SaaS instances through a compromised Remote Support SaaS API key. This activity has been attributed to Silk Typhoon, a nation-state group formerly known as Hafnium. Silk Typhoon was also implicated in the exploitation of multiple security vulnerabilities (dubbed ProxyLogon) in Microsoft Exchange Server in early 2021.
A recent Bloomberg report highlighted the extent of the breach, revealing that attackers accessed at least 400 Treasury computers and stole over 3,000 files. These included policy documents, travel information, organizational charts, materials on sanctions and foreign investments, and sensitive law enforcement data. Furthermore, unauthorized access was gained to systems used by key Treasury officials, including Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith. Materials related to investigations by the Committee on Foreign Investment in the U.S. were also compromised.
Connections to Other Threat Groups
Silk Typhoon’s activities are believed to overlap with a cluster tracked by Google-owned Mandiant under the designation UNC5221. This China-linked espionage actor is known for its extensive exploitation of Ivanti zero-day vulnerabilities. Mandiant has yet to comment further on this matter.
Sichuan Juxinhe Network Technology Co. Ltd. Sanctioned
The sanctions also target Sichuan Juxinhe Network Technology Co., Ltd., a Sichuan-based cybersecurity company accused of engaging in cyberattacks against major U.S. telecommunication and internet service providers. These activities have been linked to another Chinese hacking group, Salt Typhoon, also known by aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Active since at least 2019, Salt Typhoon has been connected to multiple attacks on critical infrastructure.
"The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe," the Treasury stated.
U.S. Response to Malicious Cyber Activities
In response to these attacks, the Department of State’s Rewards for Justice program is offering up to $10 million for information leading to the identification or location of individuals acting under the direction of foreign state-sponsored adversaries who engage in malicious cyber activities against U.S. critical infrastructure. Such actions are in violation of the Computer Fraud and Abuse Act.
"The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," said Deputy Secretary Adewale Adeyemo.
Strengthening Cybersecurity Measures
The Federal Communications Commission (FCC) has introduced new rules requiring telecommunications companies to secure their networks against unauthorized access and communications interception. Outgoing FCC Chairwoman Jessica Rosenworcel called the breaches "one of the largest intelligence compromises ever seen."
The FCC has proposed that communications service providers submit annual certifications attesting to the implementation of updated cybersecurity risk management plans. These measures aim to prevent future cyberattacks.
Broader Implications
Earlier this week, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the gravity of the threat posed by China’s cyber program. "China's sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure," she said.
Easterly revealed that Salt Typhoon was first detected on federal networks long before the group infiltrated the systems of major telecommunications providers such as AT&T, Lumen Technologies, T-Mobile, and Verizon.
The Treasury’s actions are part of a broader effort to combat cyber threats from Chinese state-linked actors. Previous sanctions have targeted companies such as Integrity Technology Group (linked to Flax Typhoon), Sichuan Silence Information Technology (connected to Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (associated with APT31).
As cybersecurity challenges continue to escalate, these measures underline the U.S. government’s commitment to protecting its networks, critical infrastructure, and sensitive information from foreign adversaries.
