The U.S. Department of the Treasury sanctioned Beijing-based cybersecurity vendor Integrity Tech for its role in multiple computer intrusion incidents against U.S. victims. These incidents have been publicly attributed to the Chinese malicious state-sponsored cyber group Flax Typhoon which has been active since at least 2021, often targeting organizations within U.S. critical infrastructure sectors.
Through its Office of Foreign Assets Control (OFAC), the Treasury Department detailed that all property and interests in the property of Integrity Tech that are in the U.S. or the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.
Furthermore, unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the U.S. that involve any property or interests in property of designated or otherwise blocked persons.
The OFAC noted that between the summer of 2022 and the fall of 2023, Flax Typhoon hackers used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. Flax Typhoon adversaries routinely sent and received information from Integrity Tech infrastructure during that time.
In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions against Integrity Tech include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN (Specially Designated Nationals) List but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive behavior change.
The Treasury Department’s action follows a Chinese espionage campaign that breached nine U.S. telecommunications firms, a top White House official confirmed in late December. The U.S. is preparing policy responses to this intrusion. Anne Neuberger, deputy national security adviser for cyber and emerging technology, revealed that the campaign, known as Salt Typhoon, has affected more companies than the previously known eight victims.
The additional company was uncovered after the federal government issued guidance to telecoms that detailed the Chinese techniques and how to spot them on their networks, Neuberger told reporters. “From that, yes, a ninth company was identified,” she said, though the White House has not identified the company.
Chinese malicious cyber actors continue to be one of the most active and persistent threats to U.S. national security, as highlighted in the 2024 Office of the Director of National Intelligence Annual Threat Assessment. These actors continue to target U.S. government systems as part of their efforts, including the recent targeting of Treasury’s own IT infrastructure.
“The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions,” said Bradley T. Smith, acting under secretary of the Treasury for Terrorism and Financial Intelligence. “The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses.”
Flax Typhoon is a state-sponsored Chinese malicious cyber group that has been active since at least 2021, targeting organizations within U.S. critical infrastructure sectors. Flax Typhoon has compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. Flax Typhoon exploits publicly known vulnerabilities to gain initial access to victims’ computers and then leverages legitimate remote access software to maintain persistent control over their network. Flax Typhoon hackers have targeted victims across industries.
Between the summer of 2022 and the fall of 2023, Flax Typhoon actors accessed several hosts associated with U.S. and European entities. The actors maliciously used virtual private network software and remote desktop protocols to facilitate this access. In the summer of 2023, Flax Typhoon compromised multiple servers and workstations at a California-based entity.
OFAC is designating Integrity Tech according to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the U.S. that are reasonably likely to result in or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the U.S. and that have the purpose or effect of harming or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.
Last September, the Federal Bureau of Investigation, in coordination with the Cyber National Mission Force, National Security Agency, and Five Eye partners, published a joint cybersecurity advisory that highlights the tactics, techniques, and procedures of Flax Typhoon, as well as Integrity Tech’s role in supporting its malicious cyber activities.
Fortress Information Security revealed in December that 90 percent of software products used by critical infrastructure organizations contain code developed in China. The software that powers U.S. utilities is filled with vulnerabilities, including many that are ‘highly exploitable.’ Researchers examined thousands of products and identified risk patterns.