The culprit behind the telecom intrusion is a little-known Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co. Officials have been referring to the hacking group as Salt Typhoon, a name bestowed by Microsoft, which was among the first to discover the breaches in September. (Wikimedia Commons)
The Biden administration on Friday imposed sanctions on the actors behind two major cyberespionage campaigns that officials say were waged on behalf of the Chinese government: a breach of major U.S. telecom firms and the hacking of the Treasury Department and its head, Secretary Janet L. Yellen.
The culprit behind the telecom intrusion is a little-known Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co. Officials have been referring to the hacking group as Salt Typhoon, a name bestowed by Microsoft, which was among the first to discover the breaches in September.
The individual hacker behind the Treasury intrusion is affiliated with China’s foreign spy agency and has long been on the radar of U.S. intelligence, officials said. Yin Kecheng carried out the breach of an American software vendor, BeyondTrust, which enabled him to then hack into sensitive Treasury offices, including the one that oversees economic sanctions, as well as access unclassified files from Yellen, they said. The hack of Yellen’s files was first reported by Bloomberg News.
“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,” said Deputy Secretary of the Treasury Adewale O. Adeyemo.
The designations are a final salvo by the outgoing Biden administration at the Chinese government’s audacious cyberspying operations into federal agencies and U.S. critical infrastructure. The designation in the Salt Typhoon instance followed weeks of debate over whether doing so would disrupt the intelligence community’s ability to monitor the hackers and gain more insights into their tactics and targets.
In the end, officials from the White House, State Department and Treasury won out. Officials say they do not expect that imposing sanctions will stop China’s spying. But costs can be imposed.
“We’ve got to make it harder for them,” said one official, who spoke on the condition of anonymity to describe internal deliberations. “It exposes China’s use of companies, some of which they can they call cybersecurity companies, some of which are commercial businesses that seek to attract top-notch security researchers. And by designating them you expose these companies, and you make it harder for the Chinese government to tap into private-sector Chinese talent.”
The intrusions into at least nine telecom companies, including giants AT&T and Verizon, alarmed U.S. and industry officials and has prompted some to call for more robust cybersecurity regulation.
The Salt Typhoon hacking group has been active since at least 2019 and has been responsible for numerous compromises of U.S. companies in the communication sector, Treasury said in a statement. Its recent telecom hack marks “a dramatic escalation in the Chinese cyber operations against U.S. critical infrastructure targets,” the department said.
The designations are based on a new executive order issued by the White House that makes it easier for Treasury to impose sanctions on non-state actors carrying out malicious cyber operations on behalf of governments.
Unlike other firms the U.S. government has designated for involvement in recent large-scale Chinese hacking operations, such as Beijing Integrity - the Shanghai-listed company linked to the Flax Typhoon attacks - Sichuan Juxinhe Network Technology has virtually no public footprint.
Chinese business records show it is a small, private firm with registered capital of about $300,000, founded in 2014 in Sichuan province. In 2021, the company established a branch in Chengdu’s High-Tech Zone, a government-designated hub for innovation in western China.
Local government records show it received a small amount of government employment subsidies linked to its work in the zone. Analysts say it’s not unusual for small firms and individuals to play a role in larger state hacks for entities such as China’s Ministry of State Security, its foreign spy service.
Treasury said the MSS maintains “strong ties” with multiple contractors, including Sichuan Juxinhe.
“We know through indictments that MSS tends to hire contractors to conduct operations,” said Dakota Cary, nonresident fellow at the Atlantic Council’s Global China Hub, who said Beijing’s criteria for how such companies are chosen for cyberespionage remain unclear.
“As long as they can demonstrate that they’re capable of carrying out whatever operation they’re being asked to do, they would likely just get the approval to do so,” he said.
Beijing has harnessed its growing private cybersecurity sector to support state-backed hacking efforts. A 2021 law requires private firms to report all discovered vulnerabilities found in software or online networks to authorities within 48 hours. Microsoft called this rule change “a major step in the use of zero-day exploits as a state priority.”
A February 2024 leak of documents from Shanghai cyber firm Anxun, also known as iSoon, revealed how small Chinese firms are drawn into state-backed espionage and hacking work. The messages revealed that authorities not only requested specific hacked data but have also shared known vulnerabilities with private contractors that work with them.
In the United States, government hacking operations are not outsourced to contractors, officials and former officials say. The Chinese government’s willingness to use a contractor to go after critical civilian targets such as American telecom firms reflects a desire to “prioritize achieving objectives at any cost” and “a willingness to blur the lines between state and private companies, amplifying the risks of miscalculation and global backlash,” said another U.S. official, speaking on the condition of anonymity because they were not authorized to discuss the matter.
In the Treasury hack, the department was notified last month by BeyondTrust that a hacker had gained access to a security key, which allowed the intruder to override certain security protocols and access department workstations and unclassified documents stored on them. Jeffrey Stein contributed to this report.
