US sanctions Chinese company linked to Flax Typhoon hackers

​The U.S. Treasury Department has sanctioned Beijing-based cybersecurity company Integrity Tech for its involvement in cyberattacks attributed to the Chinese state-sponsored Flax Typhoon hacking group.

As the Treasury's Office of Foreign Assets Control (OFAC) said on Friday, the Chinese state-sponsored hackers used the company's infrastructure to launch attacks targeting networks of victims in Europe and the United States for over a year, starting in the summer of 2022.

"Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure," OFAC said.

"The actors maliciously used virtual private network software and remote desktop protocols to facilitate this access. In summer 2023, Flax Typhoon compromised multiple servers and workstations at a California-based entity."

These sanctions follow a September 2024 court-authorized operation to disrupt a botnet of hundreds of thousands of consumer and small business devices in the U.S. and worldwide, tracked as "Raptor Train" and controlled by Integrity Tech (also known as Yongxin Zhicheng).

As the FBI revealed at the time, in coordination with the Cyber National Mission Force, NSA, and Five Eye partners, Flax Typhoon used this botnet for DDoS attacks and as a proxy to launch stealthy attacks against entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the U.S. and Taiwan.

Within four years of activity, since May 2020, Raptor Train grew into a massive, multi-tiered network with an enterprise-grade control system and infected over 260,000 networking devices, including routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.

"Integrity Tech is a large PRC government contractor with ties to the Ministry of State Security. It provides services to country and municipal State Security and Public Security Bureaus, as well as other PRC cybersecurity government contractors," the State Department added today.

"PRC-based hackers working for Integrity Tech, known to the private sector as 'Flax Typhoon,' were working at the direction of the PRC government, targeting critical infrastructure in the United States and overseas."

Following today's sanctions, U.S. organizations and citizens are prohibited from conducting transactions with Integrity Tech (short for Integrity Technology Group, Incorporated). Additionally, any assets in the U.S. associated with them will be frozen. U.S. financial institutions and foreign entities that engage in transactions with them may also face penalties.

On Monday, the Treasury Department disclosed that unknown Chinese government threat actors had hacked its network. Since then, U.S. officials have stated that the attackers specifically targeted the agency's OFAC department, likely to collect intelligence on future sanctions targeting Chinese individuals and organizations.

Another Chinese state-backed hacking group tracked as "Salt Typhoon" has also been linked to a wave of breaches impacting nine U.S. telecom firms, including Verizon, AT&T, and Lumen.