U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon - The Hacker News
The Hacker NewsArchived Jun 05, 2026✓ Full text saved
U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon The Hacker News
Full text archived locally
✦ AI Summary· Claude Sonnet
U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
Ravie LakshmananJan 18, 2025Cyber Espionage / Telecom Security
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency.
"People's Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as sensitive U.S. critical infrastructure," the Treasury said in a press release.
The sanctions target Yin Kecheng, who is assessed to have been a cyber actor for over a decade and affiliated with China's Ministry of State Security (MSS). Kecheng, per the Treasury, was associated with the breach of its own network that came to light earlier this month.
The incident involved a hack of BeyondTrust's systems that allowed the threat actors to infiltrate some of the company's Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key. The activity has been attributed to a nation-state group named Silk Typhoon (formerly Hafnium), which was linked to the then zero-day exploitation of multiple security flaws (aka ProxyLogon) in Microsoft Exchange Server in early 2021.
According to a recent report from Bloomberg, the attackers are said to have broken into no less than 400 computers belonging to the Treasury and stole over 3,000 files, including policy and travel documents, organizational charts, material on sanctions and foreign investment, and 'Law Enforcement Sensitive' data.
They also gained unauthorized access to computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T. Smith, as well as material on investigations run by the Committee on Foreign Investment in the U.S., the report added.
It's believed that Silk Typhoon overlaps with a cluster tracked by Google-owned Mandiant under the moniker UNC5221, a China-nexus espionage actor known for its extensive weaponization of Ivanti zero-day vulnerabilities.
The sanctions also target Sichuan Juxinhe Network Technology Co., LTD., a Sichuan-based cybersecurity company that the Treasury said was directly involved in a series of cyber attacks aimed at major U.S. telecommunication and internet service provider companies in the country.
The activity has been associated with a different Chinese hacking group named Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286). The threat actor is estimated to be active since at least 2019.
"The MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe," the Treasury said.
Separately, the Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that could lead to the identification or location of any individuals who are acting at the direction or under the control of a foreign state-sponsored adversary and engage in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
"The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically," Adeyemo said in a statement.
The attacks on U.S. telecom service providers have since prompted the Federal Communications Commission (FCC) to issue new rules requiring companies operating in the sector to secure their networks from unlawful access or interception of communications. Outgoing FCC chairwoman Jessica Rosenworcel described the hacks as "one of the largest intelligence compromises ever seen."
"That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyber attacks," the FCC said.
Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said "China's sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure."
Easterly also revealed that Salt Typhoon was first detected on federal networks, much before the cyber espionage group burrowed into the networks of AT&T, Lumen Technologies, T-Mobile, Verizon, and other providers.
The designations are just the latest in a long list of moves made by the Treasury in a bid to combat malicious cyber activity by Chinese threat actors. Previously sanctioned by the agency are three other companies, Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31).
Update
Mandiant told The Hacker News that the cluster it tracks as UNC5221 likely overlaps with APT27 and Silk Typhoon, although it pointed out that it doesn't have "independent evidence" on its own to confirm these connections. For more details, refer here.
(The story was updated after publication on April 5, 2025, to include information about the nature of overlaps between UNC5221 and Silk Typhoon.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Chinese Espionage, Cyber Attack, cybersecurity, Telecom Security, U.S. Treasury
⚡ Top Stories This Week
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Load More ▼
⭐ Featured Resources
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report