Full Report
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency. "People's Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent
Analysis Summary
# Threat Actor: Salt Typhoon (and associated entities/actors)
## Attribution & Identity
- **Attribution:** People's Republic of China-linked (PRC) malicious cyber actors, estimated to be nation-state capabilities.
- **Sanctioned Individuals/Entities:**
- **Yin Kecheng:** A Shanghai-based cyber actor assessed to have been active for over a decade and affiliated with China's Ministry of State Security (MSS).
- **Sichuan Juxinhe Network Technology Co., LTD.:** A Sichuan-based cybersecurity company directly involved in cyber attacks against U.S. telecom and ISP companies.
- **Known Aliases and Associated Groups:**
- Listed as being linked to cyber activity attributed to **Salt Typhoon**.
- Salt Typhoon aliases include **Earth Estries, FamousSparrow, GhostEmperor, and UNC2286**.
- The article also mentions **Silk Typhoon** (formerly Hafnium), linked to the ProxyLogon exploitation, which is said to overlap with Mandiant's **UNC5221**. *(Note: While the article discusses Silk Typhoon in the context of the Treasury breach, the sanctions specifically target actors linked to Salt Typhoon's activities against telecom companies, but the Treasury breach discussion implies a broader PRC campaign or overlap.)*
## Activity Summary
- **Recent Campaigns:** Targeted U.S. government systems, including the Treasury Department's IT systems.
- **Specific Compromises:**
- Compromise of U.S. Treasury network, resulting in the theft of **over 3,000 files** from at least **400 computers**, including policy, travel documents, organizational charts, sanctions material, L.E. Sensitive data, and unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith.
- A series of cyber attacks aimed at major U.S. telecommunication and internet service provider (ISP) companies (including AT&T, Lumen Technologies, T-Mobile, and Verizon).
- **Timeline:** Salt Typhoon is estimated to be active since at least 2019.
## Tactics, Techniques & Procedures
- **Initial Access (Salt Typhoon):** Detected on federal networks prior to burrowing into telecom networks.
- **Initial Access (Silk Typhoon/UNC5221 linkage):** Exploitation of the Microsoft Exchange Server zero-day flaws (ProxyLogon) in early 2021.
- **Initial Access (Associated Breach):** Infiltrated targets via a compromised Remote Support SaaS API key following a hack of **BeyondTrust's systems**.
- **Objective:** Espionage and intelligence gathering (sanctions intelligence, policy documents).
- **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
- **Sectors:**
- U.S. Federal Government (specifically the Treasury Department).
- U.S. Critical Infrastructure, including major Telecommunication and Internet Service Providers (AT&T, Lumen Technologies, T-Mobile, Verizon).
- **Geography:** United States.
- **Victims:** Treasury Department, Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, Acting Under Secretary Bradley T. Smith, and several major U.S. telecom/ISP companies.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named.
- **Infrastructure:** Linked through association with MSS-tied exploitation companies.
## Implications
- The activity represents a significant, state-sponsored espionage threat targeting sensitive U.S. government information and critical infrastructure supply chains (telecoms).
- CISA views China's cyber program as the "most serious and significant cyber threat to our nation."
- The scale of the Treasury breach (3,000+ files stolen) suggests a deep compromise focused on policy and sanctions intelligence.
- The actions have prompted regulatory reactions from the FCC requiring heightened security measures across the communications sector.
## Mitigations
- Implementation of cybersecurity risk management plans by communications service providers (as proposed by the FCC).
- Securing networks against unlawful access or interception of communications (prompted by FCC action).
- General strengthening of resilience against PRC cyber threats (as per CISA guidance).