Pierluigi Paganini January 04, 2025

The U.S. Treasury Department sanctioned Chinese cybersecurity firm Integrity Tech for its involvement in attacks attributed to the Flax Typhoon group.

The U.S. Treasury sanctioned a Chinese cybersecurity firm, Integrity Tech, for links to cyberattacks by China’s state-backed Flax Typhoon APT group (also called Ethereal Panda or RedJuliett).

The China-linked APT group used Integrity Tech’s infrastructure to launch cyberattacks on European and U.S. networks since the summer of 2022.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Integrity Technology Group, Incorporated (Integrity Tech), a Beijing-based cybersecurity company, for its role in multiple computer intrusion incidents against U.S. victims.” states the Treasury’s Office of Foreign Assets Control (OFAC). “These incidents have been publicly attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021, often targeting organizations within U.S. critical infrastructure sectors. “

Flax Typhoon is a China-linked hacking group that has been active since 2021, it targets critical infrastructure globally, exploiting vulnerabilities for persistent access.

According to OFAC, between 2022 and 2023, Flax Typhoon hacked U.S. and European entities, exploiting VPNs and RDPs, including a California-based organization’s servers.

In September 2024, cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group Flax Typhoon.

The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023. Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. 

In September 2024, US authorities disrupted the “Raptor Train” botnet

Now the U.S. has blocked all assets of the sanctioned entity Integrity Tech and its affiliates, prohibiting U.S. persons from transactions involving the entity without OFAC authorization. Violators risk penalties, with sanctions aimed at encouraging behavioral change rather than punishment.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Flax Typhoon)