The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Integrity Technology Group, Incorporated (Integrity Tech), a Beijing-based cybersecurity company, for its involvement in multiple computer intrusion incidents targeting US entities. The cyberattacks have been linked to a Chinese state-sponsored Advanced Persistent Threat (APT) group tracked as Flax Typhoon that has been active since at least 2021.
Flax Typhoon has primarily targeted US critical infrastructure sectors, compromising computer networks across North America, Europe, Africa, and Asia, with a particular focus on Taiwan. The group exploits publicly known vulnerabilities to gain initial access to victims' systems and uses legitimate remote access software to maintain persistent control over compromised networks.
According to OFAC, Integrity Tech provided support for Flax Typhoon's malicious cyber activities. Between summer 2022 and fall 2023, the group routinely leveraged infrastructure tied to Integrity Tech during its exploitation campaigns. The group used virtual private network software and remote desktop protocols to infiltrate multiple US and European entities.
Last September, the Federal Bureau of Investigation (FBI), in coordination with the Cyber National Mission Force, National Security Agency (NSA), and Five Eyes intelligence partners, released a joint cybersecurity advisory detailing the tactics, techniques, and procedures (TTPs) employed by Flax Typhoon. The advisory also highlighted Integrity Tech’s role in supporting the group’s operations.
The US Treasury Department recently disclosed a significant breach of its systems, CNN reported. Assistant Secretary for Management at the Treasury Aditi Hardikar revealed that a threat actor used a stolen key to access Treasury workstations and unclassified documents.
The incident, which occurred on December 2, was discovered when a third-party software service provider, BeyondTrust, identified anomalous behavior in its Remote Support product. Hackers reportedly used the stolen key to override security protocols, granting remote access to several Treasury Department user workstations. BeyondTrust disclosed the breach publicly on December 8 and has since suspended impacted instances of its product.
The breach has been attributed to a Chinese state-sponsored APT actor. Treasury officials have confirmed that the compromised service has been taken offline and that there is no evidence the threat actor retains access to Treasury systems or information.
Another Chinese state-backed hacking group known as Salt Typhoon has been linked to a wave of cyberattacks impacting major US telecom firms, including Verizon, AT&T, and Lumen. According to a recent Wall Street Journal’s report, the hackers compromised more companies than was previously known, including Charter Communications, Consolidated Communications (CCII.UL) and Windstream. Intruders also exploited unpatched network devices from security vendor Fortinet and breached large network routers made by Cisco Systems, the report said.