Threat Actor: Flax Typhoon | Flax Typhoon
Victim: Various entities in the U.S. and Europe | U.S. and European networks
Key Point :
- Integrity Tech provided infrastructure used by Flax Typhoon for cyberattacks over a year, starting in summer 2022.
- The Treasury’s sanctions prohibit U.S. organizations from conducting transactions with Integrity Tech and freeze any associated U.S. assets.
- Flax Typhoon exploited a botnet, Raptor Train, to launch DDoS attacks and target critical infrastructure sectors.
- Integrity Tech is linked to the Chinese government and has ties to the Ministry of State Security.
- Recent hacking incidents have also implicated another Chinese group, Salt Typhoon, in breaches affecting major U.S. telecom firms.
The U.S. Treasury Department has sanctioned Beijing-based cybersecurity company Integrity Tech for its involvement in cyberattacks attributed to the Chinese state-sponsored Flax Typhoon hacking group.
As the Treasury’s Office of Foreign Assets Control (OFAC) said on Friday, the Chinese state-sponsored hackers used the company’s infrastructure to launch attacks targeting networks of victims in Europe and the United States for over a year, starting in the summer of 2022.
“Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure,” OFAC said.
“The actors maliciously used virtual private network software and remote desktop protocols to facilitate this access. In summer 2023, Flax Typhoon compromised multiple servers and workstations at a California-based entity.”
These sanctions follow a September 2024 court-authorized operation to disrupt a botnet of hundreds of thousands of consumer and small business devices in the U.S. and worldwide, tracked as “Raptor Train” and controlled by Integrity Tech (also known as Yongxin Zhicheng).
As the FBI revealed at the time, in coordination with the Cyber National Mission Force, NSA, and Five Eye partners, Flax Typhoon used this botnet for DDoS attacks and as a proxy to launch stealthy attacks against entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the U.S. and Taiwan.
Within four years of activity, since May 2020, Raptor Train grew into a massive, multi-tiered network with an enterprise-grade control system and infected over 260,000 networking devices, including routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.
“Integrity Tech is a large PRC government contractor with ties to the Ministry of State Security. It provides services to country and municipal State Security and Public Security Bureaus, as well as other PRC cybersecurity government contractors,” the State Department added today.
“PRC-based hackers working for Integrity Tech, known to the private sector as ‘Flax Typhoon,’ were working at the direction of the PRC government, targeting critical infrastructure in the United States and overseas.”
Following today’s sanctions, U.S. organizations and citizens are prohibited from conducting transactions with Integrity Tech (short for Integrity Technology Group, Incorporated). Additionally, any assets in the U.S. associated with them will be frozen. U.S. financial institutions and foreign entities that engage in transactions with them may also face penalties.
On Monday, the Treasury Department disclosed that unknown Chinese government threat actors had hacked its network. Since then, U.S. officials have stated that the attackers specifically targeted the agency’s OFAC department, likely to collect intelligence on future sanctions targeting Chinese individuals and organizations.
Another Chinese state-backed hacking group tracked as “Salt Typhoon” has also been linked to a wave of breaches impacting nine U.S. telecom firms, including Verizon, AT&T, and Lumen.