Salt Typhoon group and the recent cyber intrusion into a federal agency’s systems.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has announced new sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor due to their alleged links to the Salt Typhoon group and the recent cyber intrusion into a federal agency’s systems.
According to an official press release, People's Republic of China (PRC)-linked malicious cyber actors continue to target U.S. government networks, including a recent breach of Treasury’s information technology (IT) systems. These cyber activities have also extended to critical U.S. infrastructure, raising national security concerns.
OFAC’s sanctions target Yin Kecheng, an alleged cyber operative with over a decade of experience and ties to China’s Ministry of State Security (MSS). Kecheng has been linked to the recent Treasury network breach, which surfaced earlier this month.
This incident was connected to a compromise of BeyondTrust’s systems, enabling threat actors to infiltrate Remote Support SaaS instances by exploiting a compromised Remote Support SaaS API key. The attack is attributed to a nation-state hacking group known as Silk Typhoon (formerly Hafnium), which was previously responsible for the ProxyLogon exploit targeting Microsoft Exchange Server vulnerabilities in early 2021.
A report from Bloomberg revealed that the Silk Typhoon hackers infiltrated at least 400 computers within the Treasury Department, stealing more than 3,000 files, including sensitive documents related to policies, sanctions, foreign investments, and ‘Law Enforcement Sensitive’ data. The attackers also gained unauthorized access to computers used by Treasury Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as materials related to investigations conducted by the Committee on Foreign Investment in the U.S. (CFIUS).
Silk Typhoon’s activities appear to overlap with UNC5221, a China-linked cyber espionage group tracked by Google’s Mandiant. This group is known for its aggressive exploitation of zero-day vulnerabilities in Ivanti products. Mandiant has yet to comment on these findings.
OFAC has also sanctioned Sichuan Juxinhe Network Technology Co., LTD, a cybersecurity company based in Sichuan, China. The Treasury Department asserts that this firm was directly involved in cyberattacks targeting major U.S. telecommunications and internet service providers.
These attacks have been linked to another Chinese state-sponsored hacking group known as Salt Typhoon (also tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). Intelligence suggests that Salt Typhoon has been active since at least 2019, engaging in cyber espionage and targeting government and corporate entities.
“The Ministry of State Security (MSS) has maintained strong ties with multiple cyber exploitation companies, including Sichuan Juxinhe,” the Treasury stated.
The U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information leading to the identification or location of individuals engaging in cyberattacks against U.S. critical infrastructure on behalf of foreign governments.
Treasury Deputy Secretary Adewale Adeyemo emphasized that the U.S. will continue to use its sanctioning authority to hold cybercriminals accountable, particularly those targeting the Treasury Department and other federal agencies.
In response to these ongoing cyber threats, the Federal Communications Commission (FCC) has introduced new security regulations for telecommunications providers. These measures aim to prevent unauthorized access and interception of communications. Outgoing FCC Chairwoman Jessica Rosenworcel described these hacks as “one of the largest intelligence compromises ever seen.”
The FCC is also proposing a requirement for communications service providers to submit an annual cybersecurity certification, ensuring that they have implemented risk management plans to strengthen defenses against cyber threats.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), warned that China’s advanced and well-funded cyber operations pose the most significant cyber threat to the U.S., particularly in the realm of critical infrastructure.
Easterly revealed that Salt Typhoon had been detected on federal networks well before the group compromised U.S. telecommunications giants, including AT&T, Lumen Technologies, T-Mobile, and Verizon.
- These latest sanctions are part of an ongoing U.S. effort to combat malicious cyber activities linked to China. The Treasury Department has previously sanctioned:
- Integrity Technology Group (linked to Flax Typhoon)
- Sichuan Silence Information Technology (associated with Pacific Rim cyber operations)
- Wuhan Xiaoruizhi Science and Technology Company (linked to APT31)
- As cyber warfare escalates, the U.S. government is intensifying countermeasures to deter state-sponsored hacking campaigns targeting national security, government agencies, and private enterprises.
