The US government has issued sanctions against a China-based cybersecurity company for its involvement in a large-scale botnet targeting American organizations, including critical infrastructure.
Beijing-based Integrity Technology Group has been accused of playing a role in multiple computer intrusion incidents that have been attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021.
Flax Typhoon has compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. It exploits publicly known vulnerabilities to gain initial access to victims’ computers and then leverages legitimate remote access software to maintain persistent control over their network.
In September 2024, a joint cybersecurity advisory issued by the National Security Agency (NSA), FBI and Cyber National Mission Force detailed how the botnet operates. It is believed to consist of 260,000 devices and runs Mirai malware.
The devices include firewalls, network-attached storage, SoHo routers and IoT devices, including webcams. The botnet could be used for distributed denial of service attacks (DDoS), to compromise networks or for malware delivery.
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) said that between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Technology during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Technology infrastructure.
As a result of this, Integrity Technology will have any property or interests based in the US blocked, while financial institutions are banned from engaging in transactions or activities with the company.
Chinese Hackers Posing Persistent Threat to the US
OFAC highlighted China-state affiliated actors as “one of the most active and persistent threats to US national security,” regularly targeting US government systems as part of its efforts.
Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith, commented: “The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions. The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses.”
The announcement comes just days after the Department of the Treasury revealed Chinese state-backed hackers had comprised some of its computers and accessed unclassified information after targeting a third-party cybersecurity vendor, BeyondTrust.
Last year, the US warned that the group Volt Typhoon has been actively infiltrating networks of US critical infrastructure organizations. This infiltration is seen as a strategic move to potentially disrupt or destroy critical services in the event of escalating geopolitical tensions or military conflicts involving the United States and its allies.