US sanctions prominent Chinese cyber company for role in Flax Typhoon attacks

A Chinese cybersecurity company has been sanctioned by the U.S. for its role in facilitating attacks conducted by a state-sponsored hacking group known for targeting critical infrastructure. 

Beijing-based Integrity Technology Group provided the People’s Republic of China’s (PRC) Ministry of State Security and several Chinese state-backed hacking groups with infrastructure that allows them to attack multiple victims based in the U.S., according to U.S. officials. 

The Treasury Department said Integrity Technology provided Flax Typhoon actors with infrastructure between the summer of 2022 and fall of 2023 — with the state-backed groups sharing and receiving information from the company. 

In September, the Department of Justice disrupted a botnet of more than 260,000 consumer devices infected and controlled by Integrity Technology. At the same time, the FBI and National Security Agency published an advisory about tactics used by Flax Typhoon and Integrity Technology.

“Integrity Tech is a large PRC government contractor with ties to the Ministry of State Security.  It provides services to country and municipal State Security and Public Security Bureaus, as well as other PRC cybersecurity government contractors,” State Department spokesperson Matthew Miller said on Friday.  

“PRC-based hackers working for Integrity Tech, known to the private sector as ‘Flax Typhoon,’ were working at the direction of the PRC government, targeting critical infrastructure in the United States and overseas.”

The hackers have successfully targeted universities, government agencies, telecommunications providers and media organizations in the U.S. and elsewhere, Miller added.

The sanctions on Integrity Technology freeze all U.S. assets of the company and limit the amount of interaction financial institutions can have with it. 

Yongxin Zhicheng

The company, also known as Yongxin Zhicheng, is a cybersecurity business listed on the Shanghai stock exchange and has a market capitalization of around $318 million as well as revenues of roughly $56 million. The company’s official documents describe it as selling network security products and employing almost 500 people as of the end of 2023.

Integrity Technology is best known in China for developing the country’s cyber ranges — powerful training tools that simulate real-world platforms, networks and other digital systems. The company has touted its extensive government funding in the past and experts from Natto Thoughts said the company was founded in 2010 by Cai Jingjing — a legendary hacker in China.

Integrity Technology is also heavily involved in organizing Chinese hacking competition Matrix Cup, giving it access to the country’s brightest cybersecurity talent. 

In recent leaks from Chinese information security company i-SOON, Integrity Technology was named as one of its chief competitors and clients — highlighting the web of private companies employed by the Chinese state to facilitate its prolific hacking campaigns.  

Flax Typhoon activity was initially identified publicly by researchers from Microsoft, who said the group has been at the forefront of attacks targeting Taiwan since 2021. The group is mainly targeting government agencies and education, critical manufacturing and information technology organizations in Taiwan, but Microsoft said it also saw victims across Southeast Asia, North America and Africa.

FBI director Christopher Wray said last year that Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations.”

Wray described Flax Typhoon as targeting “everyone from corporations and media organizations to universities and government agencies,” adding that about half of the hijacked devices in its botnet were located in the United States.

The FBI used a court authorization to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure. According to the court documents, the botnet was developed and controlled by Integrity Technology. The company built out an online application allowing its customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called “vulnerability-arsenal.” 

U.S. agencies said in September they found an Integrity Technology database for controlling the botnet that contained over 1.2 million records of compromised devices. The online application was prominently labelled “KRLab,” one of the main public brands used by Integrity Technology, according to the Justice Department.

The sanctions announcement comes just days after it was revealed that Chinese hackers broke into the Treasury Department’s sanctions office. In a letter to Congress last month, the Treasury Department said the hack was conducted through BeyondTrust, a third-party software provider.