The United States Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a Beijing-based cybersecurity company and accused it of supporting a group of hackers who had attacked American organizations.
The OFAC said Integrity Technology Group was involved in multiple computer intrusion incidents against US victims. These incidents have been publicly attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021, often targeting organizations within US critical infrastructure sectors.
“The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions,” said Bradley Smith, acting undersecretary of the Treasury for Terrorism and Financial Intelligence. “The US will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses.”
According to the OFAC, Flax Typhoon has compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. It exploits publicly known vulnerabilities to gain initial access to victims’ computers and then leverages legitimate remote access software to maintain persistent control over their networks.
Between mid-2022 and late 2023, OFAC said, Flax Typhoon actors used infrastructure tied to Integrity Tech during hacking activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Technology infrastructure.
“On this kind of unwarranted and groundless allegations, we’ve made clear our position more than once,” Mao Ning, a spokesperson of the Chinese Foreign Ministry, said in a media briefing. “China opposes all forms of hacking and, in particular, we oppose spreading China-related disinformation motivated by political agenda.”
The China Daily, a state-owned newspaper, said in its editorial on January 2 that the US used advanced technologies to insert Chinese words and codes into malware in the attacked systems to make the public think that Flax Typhoon is related to China.
It said Washington should discuss cybersecurity with Beijing in working groups, instead of “spending its time concocting another far-fetched plot in which Beijing plays the baddie.”
“The US was inferior to others in cybersecurity skills,” a Fujian-based columnist using the pseudonym “Little Penguin” says in an article published on January 4. “In anger, it began to pour dirty water on China.”
“The US itself is the initiator of cyber attacks. In 2007, the US and Israel implanted a computer virus into the computer system of Iran’s Natanz nuclear facility, causing the failure of more than a thousand centrifuges there,” the writer says.
He says that, as the US has for a very long time failed to break into China’s cybersecurity system, it tried to use other means such as sanctions to attack Chinese companies.
The OFAC’s latest sanction came after the US Justice Department on September 18, 2024, announced a court-authorized law enforcement operation that disrupted a botnet consisting of more than 200,000 consumer devices (so-called “zombies” in computer jargon) in the US and worldwide.
According to Texas-based cybersecurity firm Crowdstrike, apart from Flax Typhoon, two other China-based targeted intrusion adversaries called Ethereal Panda and Volt Typhoon also became active in 2021.
Volt Typhoon
On May 24, 2023, Microsoft said Volt Typhoon targeted critical infrastructure organizations in Guam and elsewhere in the US. On August 24 of the same year, it said Flax Typhoon targeted dozens of organizations in Taiwan with the key intention of performing espionage.
In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) said in a report that the People’s Republic of China’s state-sponsored cyber actors are seeking to pre-position themselves for cyberattacks in the event of a major crisis or conflict with the US.
Five Eyes countries’ Joint Cybersecurity Advisory said Volt Typhoon might launch destructive cyberattacks against critical infrastructure in the US and allies.
In March, Michael Regan, administrator of the US Environmental Protection Agency, and Jake Sullivan, national security advisor to the president, told US state governors in a letter that Volt Typhoons cyber attacks were striking water and wastewater systems throughout the US.
On April 15 last year, China’s National Computer Virus Emergency Response Center (CVERC) and the 360 Digital Security Group jointly published a report titled “Volt Typhoon: A Conspiratorial Swindling Campaign Targets with US Congress and Taxpayers Conducted by US Intelligence Community.”
“Volt Typhoon is actually a ransomware cybercriminal group that calls itself the ‘Dark Power’ and is not sponsored by any state or region,” Foreign Ministry spokesperson Lin Jian said last April, citing the CVERC report.
He added that some in the US have been using origin-tracing of cyberattacks as a tool to hit and frame China, claiming that the US is the victim while it’s the other way around and politicizing cybersecurity issues.
“The latest criticism against China is only the tip of an iceberg,” Cao Xing, a professor at China University of Political Science and Law in Beijing, says in an article published on January 3.
“Looking back on the past few years, it is not difficult to find that the US has tied ‘cyber threats’ to China from time to time,” Cao says. “For example, the US had blamed China after the email accounts of senior US officials including the US Ambassador to China were hacked.”
He says China’s investigations have already shown that the United States’ accusations were groundless. He says as the complex internet environment may have become a stage for “modern warfare,” it’s better for the world to cooperate and address the issues, instead of having blind confrontation.
In an annual report submitted to the US Congress on December 18, the US Department of Defense said that since at least 2019, Volt Typhoon has been compromising and prepositioning itself on US critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions or military conflict with the US and its allies.
The department said Volt Typhoon’s targets span multiple critical infrastructure sectors – including communications, energy, transportation systems and water – in the continental and non-continental US and its territories, including Guam.
It said China’s state-sponsored hackers continued to target US defense organizations throughout 2023 and stole sensitive information for economic and military advantage.
“The targeted information can benefit the PRC’s defense high-technology industries, support the PRC’s military modernization, provide the PRC’s leadership with insights into US plans and intentions, and enable diplomatic negotiations,” it said.
Yong Jian is a contributor to the Asia Times. He is a Chinese journalist who specializes in Chinese technology, economy and politics.
Read: Beijing slams Five Eyes for cyberattack allegations
