CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon - The Hacker News

The Hacker News Archived Jun 05, 2026 ✓ Full text saved

U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon The Hacker News

Full text archived locally
✦ AI Summary · Claude Sonnet


    U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon Ravie LakshmananJan 18, 2025Cyber Espionage / Telecom Security The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency. "People's Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as sensitive U.S. critical infrastructure," the Treasury said in a press release. The sanctions target Yin Kecheng, who is assessed to have been a cyber actor for over a decade and affiliated with China's Ministry of State Security (MSS). Kecheng, per the Treasury, was associated with the breach of its own network that came to light earlier this month. The incident involved a hack of BeyondTrust's systems that allowed the threat actors to infiltrate some of the company's Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key. The activity has been attributed to a nation-state group named Silk Typhoon (formerly Hafnium), which was linked to the then zero-day exploitation of multiple security flaws (aka ProxyLogon) in Microsoft Exchange Server in early 2021. According to a recent report from Bloomberg, the attackers are said to have broken into no less than 400 computers belonging to the Treasury and stole over 3,000 files, including policy and travel documents, organizational charts, material on sanctions and foreign investment, and 'Law Enforcement Sensitive' data. They also gained unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as material on investigations run by the Committee on Foreign Investment in the U.S., the report added.  It's believed that Silk Typhoon overlaps with a cluster tracked by Google-owned Mandiant under the moniker UNC5221, a China-nexus espionage actor known for its extensive weaponization of Ivanti zero-day vulnerabilities. The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a Sichuan-based cybersecurity company that the Treasury said was directly involved in a series of cyber attacks aimed at major U.S. telecommunication and internet service provider companies in the country. The activity has been associated with a different Chinese hacking group named Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). The threat actor is estimated to be active since at least 2019. "The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe," the Treasury said. Separately, the Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that could lead to the identification or location of any individuals who are acting at the direction or under the control of a foreign state-sponsored adversary and engage in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. "The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," Adeyemo said in a statement. The attacks on U.S. telecom service providers have since prompted the Federal Communications Commission (FCC) to issue new rules requiring companies operating in the sector to secure their networks from unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described the hacks as "one of the largest intelligence compromises ever seen." "That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyber attacks," the FCC said. Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said "China's sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure." Easterly also revealed that Salt Typhoon was first detected on federal networks, much before the cyber espionage group burrowed into the networks of AT&T, Lumen Technologies, T-Mobile, Verizon, and other providers. The designations are just the latest in a long list of moves made by the Treasury in a bid to combat malicious cyber activity by Chinese threat actors. Previously sanctioned by the agency are three other companies, Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31). Update Mandiant told The Hacker News that the cluster it tracks as UNC5221 likely overlaps with APT27 and Silk Typhoon, although it pointed out that it doesn't have "independent evidence" on its own to confirm these connections. For more details, refer here. (The story was updated after publication on April 5, 2025, to include information about the nature of overlaps between UNC5221 and Silk Typhoon.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Chinese Espionage, Cyber Attack, cybersecurity, Telecom Security, U.S. Treasury ⚡ Top Stories This Week ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Malicious npm Package Stole Files From Claude AI User Directory via GitHub Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Load More ▼ ⭐ Featured Resources Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed) Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗