U.S. Sanctions Chinese Entities Over Cyber Espionage and Federal Network Breach

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on a Chinese cybersecurity firm and a Shanghai-based cyber actor for alleged ties to the Salt Typhoon group and a recent breach of the federal agency's network. 

In a press release, the Treasury stated that cyber actors linked to the People's Republic of China (PRC) continue to target U.S. government systems, including its IT infrastructure, and sensitive critical infrastructure. The sanctions target Yin Kecheng, a cyber operator with over a decade of experience reportedly connected to China's Ministry of State Security (MSS). The Treasury accuses Kecheng of involvement in the breach of its network, which was disclosed earlier this month.

The breach exploited BeyondTrust's systems, using a compromised Remote Support SaaS API key to infiltrate the company's SaaS instances. The operation was attributed to Silk Typhoon (formerly Hafnium), a state-sponsored group known for exploiting multiple Microsoft Exchange Server vulnerabilities in 2021. Reports suggest the attackers accessed at least 400 Treasury computers, stealing over 3,000 files, including sensitive documents, policy information, and organizational charts. They also gained unauthorized access to computers used by senior officials, including Secretary Janet Yellen.

Silk Typhoon, also tracked as UNC5221 by Mandiant, has a history of leveraging zero-day vulnerabilities for cyber espionage. Meanwhile, the sanctions also target Sichuan Juxinhe Network Technology Co., Ltd., a cybersecurity firm allegedly involved in attacks on U.S. telecommunications and internet service providers, attributed to the Salt Typhoon group (also known as Earth Estries and GhostEmperor). This group has reportedly been active since 2019 and has connections to MSS operations.

The State Department's Rewards for Justice program is offering up to $10 million for information leading to individuals engaging in cyberattacks against U.S. critical infrastructure under foreign state sponsorship.

In response to the telecom attacks, the Federal Communications Commission (FCC) has issued new rules requiring network operators to enhance cybersecurity measures. The proposal includes annual certifications attesting to updated cybersecurity risk management plans to prevent future breaches.

CISA Director Jen Easterly emphasized that China’s advanced cyber operations pose the most significant threat to U.S. critical infrastructure. She also revealed that Salt Typhoon was detected on federal networks before infiltrating major telecom providers like AT&T, Verizon, and T-Mobile. These sanctions are part of broader efforts by the Treasury to counter China-linked cyber activities, building on previous measures against other MSS-linked companies.