The U.S. Treasury Department today issued sanctions against Integrity Technology Group, a Beijing-based cybersecurity company, over its ties to a Chinese state-backed hacking group tracked as Flax Typhoon.

The sanctions were rolled out by the Treasury’s Office of Foreign Assets Control, or OFAC. The development comes a few weeks after OFAC was itself targeted by Chinese state-backed hackers. According to Treasury officials, the hackers breached several employees’ workstations using a key stolen from a third-party supplier and accessed unclassified documents.

Flax Typhoon is believed to have been active since 2021. The group, which includes hackers who work for Integrity Technology, launches cyberattacks using known software vulnerabilities in target organizations’ infrastructure. After gaining initial access, the hackers use legitimate applications such as virtual private network tools to compromise the victim’s systems.

Flax Typhoon’s cyberattacks often target critical infrastructure companies in the U.S. The group has also breached organizations in multiple other countries. The targeted organizations included universities, government agencies, telecommunications providers and media organizations, the State Department detailed today.

Between the summer of 2022 and the fall 2023, Flax Typhoon reportedly hacked into several computers “associated with U.S. and European entities.” In the summer of 2023, the group compromised multiple servers and workstations at a California-based organization.

Last September, the Federal Bureau of Investigation and a group of partner agencies shut down a large botnet that Flax Typhoon used to carry out cyberattacks. The botnet comprised 200,000 consumer devices including home routers, cameras and network-attached storage systems. The hackers disguised their cyberattacks as traffic from the compromised devices.

The systems in the botnet were infected with malware by Integrity Technology. After identifying the botnet, U.S. authorities took control of the infrastructure that Flax Typhoon used to manage the infected systems and remotely disabled the malware. According to the Justice Department, the hackers had unsuccessfully attempted to disrupt the remediation operation by launching a distributed denial-of-service attack.

“These multi-agency efforts reflect our whole-of-government approach to protecting and defending against PRC cyber threats to Americans, our critical systems, and those of our allies and partners,” said State Department spokesperson Matthew Miller.

A few months before shutting down Flax Typhoon’s botnet, U.S. authorities disrupted another botnet created by Chinese state-backed hackers. It consisted of several hundred SOHO, or small office and home office, routers in the U.S. The hacking group behind the botnet, Volt Typhoon, used it to disguise malicious network traffic generated as part of its cyberattacks.

Photo: Unsplash