Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks 

The Department of the Treasury has sanctioned a Chinese national and a cybersecurity company based in Sichuan, China, for taking part in the Salt Typhoon hacking campaign that has swept up data from at least nine U.S. telecommunications companies.

The department’s Office of Foreign Assets Control (OFAC) named Yin Kecheng of Shanghai and the Sichuan Juxinhe Network Technology Co. Ltd., as entities that had “direct involvement” in the Salt Typhoon campaign. Kecheng is described as an affiliate of the Chinese Ministry of State Security with over a decade of hacking experience.

Kecheng is also alleged to have been involved in a recent hack of the Treasury Department.

The Sichuan Juxinhe Network Technology Co. is described by Treasury officials as part of a group of computer network exploitation contractors used by the MSS to carry out hacking operations abroad. The company “had direct involvement in the exploitation of these U.S. telecommunication and internet service provider companies,” according to the announcement.

It’s the first formal attribution by the U.S. government to specific actors for the Salt Typhoon campaign, which has roiled Washington D.C. policymakers and highlighted broad insecurities in U.S. telecommunications infrastructure.

“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,” Deputy Secretary of the Treasury Adewale O. Adeyemo said in a statement.

The sanctions — which will prevent U.S. persons and organizations from doing business with the sanctioned entities — will likely have little practical effect, as both Kecheng and the company are based in China.  

John Hultquist, chief analyst for Mandiant Intelligence and Google Cloud, said that while the sanctions may not have an economic effect, it’s still “important to shed a light on their operations and add as much friction as possible.”

“Espionage is not likely to go away anytime soon, but we can expose it and adapt. These actors are certainly focused on adapting to us,” Hultquist said in a statement. 

The moves represent the third set of sanctions placed on Chinese cyber actors for targeting U.S. systems and technology since Dec. 10.

On Jan. 3, the U.S. government sanctioned Integrity Technology Group, a Beijing-based cybersecurity company for providing internet infrastructure that was used by Flax Typhoon, another hacking group tied to the Chinese government suspected of targeting U.S. critical infrastructure. Sanctions were also placed Dec. 10 on Sichuan Silence Information Technology Co. Ltd., a cybersecurity company based in Chengdu, and one of its employees for developing zero-day vulnerabilities that were used to infect 81,000 firewalls around the world with malware.

The Salt Typhoon hacks have pressed members of Congress to introduce legislation and federal agencies to search for existing authorities that can compel better cybersecurity practices from U.S. telecommunications firms. The Federal Communications Commission finalized a new rule this week that would affirmatively require telecoms to secure their networks under the Communications Assistance for Law Enforcement Act, and a separate proposal that would require telecoms to annually certify to the FCC that they are implementing cybersecurity risk management plans.

In an interview with CyberScoop last month, outgoing FCC Chairwoman Jessica Rosenworcel said that minimum cybersecurity standards must be developed to better protect the “patchwork of different equipment” used by various telecoms.

“That’s how we make sure communications going forward are more secure and more reliable,” she said. “Every one of us needs that in our day-to-day life.”

While some telecoms have claimed to have purged Salt Typhoon actors from their networks, U.S. officials and the White House said last month that they may never know if the actors have been fully removed. 

Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, said in December the Chinese campaign “has affected dozens of countries around the world.” 

“There is a risk of ongoing compromises to communications,” Neuberger said in a press call. “Until U.S. companies address cybersecurity gaps, the Chinese are likely to maintain their access.”