An alleged hacker named Yin Kecheng and a cybersecurity company called Sichuan Juxinhe Network Technology Co were sanctioned on Friday by the US Treasury Department for involvement in a string of hacks against American telecom companies.
Kecheng is a Shanghai-based cybercriminal with an affiliation with the PRC Ministry of State Security who has been associated with the recent breach of the Department of Treasury's network.
An organization called Sichuan Juxinhe, a cybersecurity company based in Sichuan, was directly involved with Salt Typhoon's cyber-attacks.
PRC-linked Salt Typhoon cyber-espionage activities have resulted in numerous compromises of US telecommunications and internet service provider companies as part of a broad cyber espionage campaign, that has been carried out for several years.
As a result of these intrusions, which are known as the Salt Typhoon, a massive number of American call logs have been exposed to Chinese spies, raising alarms in the US intelligence community.
As far as some lawmakers are concerned, there have been instances where hackers have intercepted conversations with prominent politicians and government officials in the United States. Some lawmakers have described them as the worst hack on a telecom company in American history.
An agency within the U.S. Treasury Department (OFAC) has imposed sanctions on a Chinese cybersecurity firm and a Shanghai-based cyber actor in the wake of the recent compromise of a federal agency that appears to be connected to an organized criminal group known as Salt Typhoon.
After the attack, it was revealed that the attackers had targeted the Office of Foreign Assets Control (OFAC) in addition to the Treasury Secretary's Office.
According to a Washington Post report that cited unidentified US officials, China has been targeting the tools that the US uses to achieve its national security objectives, such as economic sanctions against adversaries, to do so.
The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an update that supports the notion that the attack directly targeted the US's structure that controls foreign economic affairs, supported by an update provided by CISA this week that further supports this theory.
It has been reported that malicious cyber actors linked to the People's Republic of China (PRC) continue to target U.S. government systems, including the recent cyberattacks on Treasury's information technology (IT) systems, as well as sensitive US critical infrastructure," according to the Treasury. Also, Salt Typhoon, a group that is believed to be linked to the People's Republic of China, has recently allegedly breached nine major telecommunications firms in a huge attack on US critical infrastructure, according to reports.
As a result of this, Verizon, AT&T, and Lumen Technologies were among the many victims, where threat actors had lurked in their networks for months. The Treasury's announcement is just one in a series of similar actions against Chinese threat actors. The company Integrity Technology Group, based in Beijing, was sanctioned on January 3 for its involvement in a Chinese state hacking group known as Flax Typhoon, which allegedly participated in the hacking.
It has been reported that in December, another Chinese hacking contractor, Sichuan Silence Information Technology, was subjected to U.S. sanctions after being blacklisted along with an arrest warrant against a Chinese national who is accused of developing a zero-day exploit for Sophos firewalls while employed at Sichuan Silence.
Aside from the designations, there have been several other steps taken by the Treasury to combat malicious cyber activity originating from Chinese hackers.
The agency has previously sanctioned Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology Company (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31). A new executive order signed by the Biden administration on Thursday would allow Treasury to extend its authority to sanction anyone complicit in hacking crimes under the extortion laws, indicating the administration's intention to prosecute them more aggressively going forward.
Treasury is empowered to sanction anyone who, directly or indirectly, enabled hacking, as well as anyone who knowingly uses hacked data for financial gain, under the executive order of January 15, 2011. The director of CISA, in a blog post dated January 15, 2009, wrote that Beijing’s cyber program is very sophisticated and well-resourced, which poses a threat to the critical infrastructure in the United States.
As Easterly pointed out, the administration has managed to eradicate some Chinese intrusions, however, there is a need for further strengthening cyber security and vigilance across the public and private sectors to reduce threats from these groups. CISA has in response, she said, developed three "lines of effort" aimed at addressing persistent threats and reducing the risk to American citizens. The first step is to exterminate Chinese cyber actors from the victims' networks.
There is also the possibility of collaborating on cyber defence with key industry partners in the fields of information technology, communication, and cybersecurity.
As a final step, cybersecurity services such as CyberSentry, a threat detection capability managed by CISA, can be utilized to reduce the risk of Chinesecybercriminalss posing a threat.
In addition to attack surface management, CISA also provides a form of cyber defence that involves identifying and mitigating the technology defects that allow cyber threats to gain an edge, and 7,000 critical service organizations have already used CISA's services.
Easterly noted that the CISA service was already offered to more than 7,000 organizations that rely on critical services.
The attackers are reported to have broken into no less than 400 computers owned by the Treasury, as reported in a recent Bloomberg report and stolen more than 3,500 files. These include documents such as policies and travels, organizational charts, sanctions, and foreign investment materials as well as 'Law Enforcement Sensitive' materials.
Additionally, they were able to gain access unauthorized to the computers of Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T Smith, as well as materials relating to investigations conducted by the Committee on Foreign Investment in the United States.
Silk Typhoon has been linked to a cluster of Chinese espionage actors known for using Ivanti zero-day vulnerabilities extensively, which has been tracked by Google's Mandiant under the moniker UNC5221 by Mandiant, which is an espionage network owned by Mandiant.
Throughout the last year, there have been an increased number of court actions, which led to the arrest of hacking suspect Yin Kecheng in Shanghai and the imposing of sanctions against Sichuan Juxinhe Network Technology Co., LTD, as well as their ability to conduct business in the United States.
In the first instance, the Treasury Department sanctioned a Beijing-based cybersecurity company that is suspected of being involved in multiple cyberattacks targeting vital infrastructures in the United States earlier this month.
U.S. accusations of hacking have been repeatedly denied by the Chinese government, including last month's dispute about the Treasury Department hacking allegations.
The sanctions announced on Friday do not provide any new details regarding the scope of the hack into the Treasury Department, which the agency said was discovered on December 8.
Thus, a third-party software provider, BeyondTrust, has pointed out that hackers were stealing a key that was used by the vendor to secure a cloud-based service that provides remote technical support to workers. This key facilitated the hackers in overriding the security measures of the service and gaining remote access to several employee workstations as a result.
