US Imposes Sanctions on Beijing Firm Over Flax Typhoon Cyber Hacking

The U.S. Treasury Department has officially sanctioned a technology firm based in Beijing, citing its involvement in activities that bolster the Flax Typhoon hacking group, a known state-sponsored threat actor from China. This action prohibits U.S. financial institutions and individuals from engaging in transactions with Integrity Technology Group, emphasizing the symbolic nature of these sanctions in the broader context of cybersecurity measures against nation-state actors.

According to the Treasury’s announcement, evidence suggests that Flax Typhoon leveraged infrastructure facilitated by Integrity Technology Group from the summer of 2022 through the fall of 2023. A comprehensive advisory issued by U.S. intelligence agencies indicated that Integrity Technology has been active in constructing and managing a botnet reliant on variants of the Mirai botnet code, first exposed to the public in 2016. These compromised Internet of Things devices are adeptly used by threat actors to mask their malicious behaviors within legitimate network traffic.

The FBI recently led a concerted effort to dismantle a substantial Flax Typhoon botnet, comprising over 200,000 consumer devices, including routers and security cameras, distributed globally and within the U.S. This operation underscores the ongoing challenge posed by Chinese hackers, who reportedly initiated a distributed denial-of-service attack to obstruct this takedown, illustrating tactics consistent with MITRE ATT&CK frameworks, specifically the use of defensive evasion and disruption.

In a 2023 campaign, Flax Typhoon’s targeting methodology has extended to Taiwanese entities, identified through Microsoft’s intelligence reports. This group is also recognized under different aliases, including Ethereal Panda and RedJuliett. Recent analysis by Recorded Future highlighted an escalation in cyberespionage activities against Taiwan, with attackers utilizing open-source tools like SoftEther VPN to obscure their tracks, serving both as command-and-control servers and a means of infiltrating Taiwanese academic institutions.

The intensified focus on Taiwanese servers is indicative of broader geopolitical tensions, particularly with China’s ongoing cyber operations, including infiltration attempts into critical telecom infrastructures and potential prepositions for conflict. These activities reflect a calculated strategy by Chinese state actors such as Volt Typhoon, asserting prepared measures for possible military confrontation over Taiwan.

Moreover, the Treasury’s own enforcement agency, the Office of Foreign Assets Control, has not remained unaffected, as it fell victim to a cyberattack believed to be orchestrated by the same Chinese hackers. This incident highlights the proactive approaches sought by foreign entities to gather intelligence on impending U.S. sanctions.

Documentation associated with the takedown of the Flax Typhoon botnet revealed that the cyber group employed a command and control domain, utilizing a MySQL database to manage a sprawling botnet. The software tools, including an application named “Sparrow,” were purportedly developed by Integrity Technology, with a patent application further affirming the company’s role in facilitating these cybercriminal activities. This serves as a reminder of the interconnectedness of cybersecurity threats and the necessity for vigilant defenses against state-sponsored intrusions.

In summary, the events surrounding the Flax Typhoon hacking group and the corresponding U.S. sanctions against Integrity Technology Group underscore the evolving landscape of cyber threats emanating from state-sponsored actors. As firms navigate these complexities, heightened vigilance and preparedness will be essential in mitigating the risks posed by such actor-specific techniques documented in the MITRE ATT&CK framework.

Updated on January 3, 2025, at 17:06 UTC: This report has been amended to reflect the latest developments.