The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has enacted sanctions against a Chinese cybersecurity firm and a cyber actor based in Shanghai due to their suspected connections to the Salt Typhoon group and the recent breach of the federal agency.
According to a press release from the Treasury, “Malicious cyber actors linked to the People’s Republic of China (PRC) continue to target U.S. government systems, including the recent attacks on Treasury’s information technology (IT) systems and sensitive U.S. critical infrastructure.”
The sanctions specifically target Yin Kecheng, who has been identified as a cyber actor for over ten years and is believed to be affiliated with China’s Ministry of State Security (MSS). The Treasury noted that Kecheng was linked to the breach of its network that was revealed earlier this month.
This incident involved a hack of BeyondTrust’s systems, which enabled the threat actors to access some of the company’s Remote Support SaaS instances by exploiting a compromised Remote Support SaaS API key. This activity has been attributed to a nation-state group known as Silk Typhoon (previously referred to as Hafnium), which was connected to the zero-day exploitation of several security vulnerabilities (known as ProxyLogon) in Microsoft Exchange Server in early 2021.
According to a recent Bloomberg report, the attackers reportedly infiltrated at least 400 computers belonging to the Treasury, stealing over 3,000 files. These files included policy and travel documents, organizational charts, information on sanctions and foreign investments, as well as ‘Law Enforcement Sensitive’ data.
They also accessed computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, along with materials related to investigations conducted by the Committee on Foreign Investment in the U.S., the report noted.
It is believed that Silk Typhoon is linked to a group monitored by Google-owned Mandiant, known as UNC5221, which is a China-based espionage actor recognized for its significant exploitation of Ivanti zero-day vulnerabilities. The Hacker News has contacted Mandiant for additional comments and will provide updates if a response is received.
Recent activities have been linked to major U.S. telecommunication and internet service provider companies in the country.
This activity is associated with a Chinese hacking group known as Salt Typhoon (also referred to as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286), which has been active since at least 2019.
According to the Treasury, “The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe.”
In a separate announcement, the Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information that could help identify or locate individuals acting under the direction of a foreign state-sponsored adversary who engage in malicious cyber activities against U.S. critical infrastructure, in violation of the Computer Fraud and Abuse Act.
“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have specifically targeted the Treasury Department,” Adeyemo stated.
The attacks on U.S. telecom service providers have led the Federal Communications Commission (FCC) to implement new rules requiring companies in the sector to secure their networks against unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described these hacks as “one of the largest intelligence compromises ever seen.”
The FCC added, “That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC, confirming that they have created, updated, and implemented a cybersecurity risk management plan, which would enhance defenses against future cyber attacks.”
Earlier this week, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), stated that “China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, particularly to U.S. critical infrastructure.”
Easterly also mentioned that Salt Typhoon was identified on federal networks well before the cyber espionage group infiltrated the systems of AT&T, Lumen Technologies, T-Mobile, Verizon, and other service providers.
These designations are the latest in a series of actions taken by the Treasury to address harmful cyber activities by Chinese threat actors. The agency has previously sanctioned three other companies: Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31).