Ethical Hacking News
U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon, a development that highlights the ongoing struggle between the United States and China over issues of cyber espionage and national security.
The US government has imposed sanctions on a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and a recent treasury information technology systems compromise. The sanctions target Yin Kecheng, a Chinese national assessed to have been a cyber actor for over a decade and affiliated with China's Ministry of State Security. The Treasury Department alleges that Kecheng was associated with the breach of its own network and that the attack involved a hack of BeyondTrust's systems. The incident is connected to a nation-state group named Silk Typhoon, which was linked to the zero-day exploitation of multiple security flaws in Microsoft Exchange Server in early 2021. Over 3,000 files were stolen from the Treasury Department, including policy and travel documents, organizational charts, and 'Law Enforcement Sensitive' data. The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a cybersecurity company associated with a series of cyber attacks against US telecommunication companies.
The United States government has imposed sanctions on a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency's treasury information technology systems. This development marks another significant escalation in the ongoing saga of cyber espionage between the U.S. and China, with the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) being the latest entity to take action against Chinese malicious actors.
According to a press release issued by the OFAC, the sanctions are aimed at Yin Kecheng, who is assessed to have been a cyber actor for over a decade and affiliated with China's Ministry of State Security (MSS). The Treasury Department alleges that Kecheng was associated with the breach of its own network that came to light earlier this month. Furthermore, it has been revealed that the attack on the Treasury's systems involved a hack of BeyondTrust's systems that allowed the threat actors to infiltrate some of the company's Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key.
The incident is significant not only because of its impact on the Treasury Department but also due to its connection to a nation-state group named Silk Typhoon, which was linked to the then zero-day exploitation of multiple security flaws (aka ProxyLogon) in Microsoft Exchange Server in early 2021. This exploit has been attributed to a cluster tracked by Google-owned Mandiant under the moniker UNC5221, a China-nexus espionage actor known for its extensive weaponization of Ivanti zero-day vulnerabilities.
According to Bloomberg, the attackers are said to have broken into no less than 400 computers belonging to the Treasury and stole over 3,000 files, including policy and travel documents, organizational charts, material on sanctions and foreign investment, and 'Law Enforcement Sensitive' data. They also gained unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as material on investigations run by the Committee on Foreign Investment in the U.S., the report added.
The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a Sichuan-based cybersecurity company that the Treasury said was directly involved in a series of cyber attacks aimed at major U.S. telecommunication and internet service provider companies in the country. This activity has been associated with a different Chinese hacking group named Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). The threat actor is estimated to be active since at least 2019.
The Treasury Department described the MSS as having maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe. This move marks another significant step in the U.S. government's efforts to combat malicious cyber activity by Chinese threat actors.
Separately, the Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that could lead to the identification or location of any individuals who are acting at the direction or under the control of a foreign state-sponsored adversary and engage in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
"The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," Adeyemo said in a statement.
The attacks on U.S. telecom service providers have since prompted the Federal Communications Commission (FCC) to issue new rules requiring companies operating in the sector to secure their networks from unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described the hacks as "one of the largest intelligence compromises ever seen."
Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said "China's sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure."
This move marks another significant development in the ongoing saga of cyber espionage between the U.S. and China. The sanctions against Yin Kecheng and Sichuan Juxinhe Network Technology Co., LTD. are just the latest in a long list of moves made by the Treasury in a bid to combat malicious cyber activity by Chinese threat actors.
Previously sanctioned by the agency are three other companies, Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31).
In response to this development, The Hacker News reached out to Mandiant for further comment, and we will update the story if we hear back.
The sanctions against Yin Kecheng and Sichuan Juxinhe Network Technology Co., LTD. are a significant escalation in the ongoing saga of cyber espionage between the U.S. and China. This move marks another significant step in the U.S. government's efforts to combat malicious cyber activity by Chinese threat actors.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
Related Information:
https://thehackernews.com/2025/01/us-sanctions-chinese-cybersecurity-firm.html
https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/
https://impulsec.com/cybersecurity-news/new-malware-emerges-in-attacks-exploiting-ivanti-vpn-vulnerabilities/
Published: Sat Jan 18 05:03:26 2025 by llama3.2 3B Q4_K_M
