Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Feds Sanction Chinese Firm for Helping 'Flax Typhoon' Hackers

The Treasury Department says Integrity Tech operated Flax Typhoon's botnet—a network of at least 260,000 compromised devices that helped the attackers hide their identities.

January 3, 2025
Chinese flags flapping in the wind with apartment buildings behind. (Credit: Nikada/E+ via Getty Images)

The US Treasury Department has sanctioned Chinese firm Integrity Technology Group for allegedly supporting the Chinese hacker group "Flax Typhoon."

"Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure," the Treasury Department says.

The sanctions mean that any US companies or people with ties to Integrity Tech are expected to report any assets or dealings to the Treasury Department's Office of Foreign Assets Control (OFAC). Financial intermediaries are also expected to stop doing business with or for the firm.

US authorities believe Flax Typhoon has operated since at least 2021 and has pursued a range of global targets, including US entities. The group often attacks critical infrastructure and previously breached "multiple servers and workstations" at an "entity" in California, Treasury said without elaborating. Group affiliates typically use VPN software and remote-access software to gain and retain access to breached systems. In 2023, Microsoft said Flax Typhoon had targeted Taiwan organizations for Chinese espionage purposes.

In September, international authorities—including those in the US, Canada, and Australia—co-published an 18-page report detailing how Chinese state-affiliated cybercriminals are attacking routers and devices abroad using botnets to deploy malware or conduct DDoS attacks. They found that Integrity Tech operated Flax Typhoon's botnet—a network of what may be at least 260,000 compromised devices that helped the attackers hide their identities.

"Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet described in this advisory," the report on the firm's ties to Flax Typhoon reads, adding: "FBI has engaged with multiple US victims of these computer intrusions and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda."

These sanctions come just days after Chinese hackers reportedly breached computers belonging to OFAC—which itself establishes sanctions—and viewed unclassified documents. The Treasury did not specify whether it believes Flax Typhoon or a different hacker group conducted that attack (The New York Times reports that one of China's intelligence agencies conducted the breach. It also said this attack was to gain intel, not to brick OFAC computer systems).

A different Chinese hacker group, Salt Typhoon, has been blamed for breaching at least nine different US telecommunications firms, including AT&T and Verizon, by using existing software flaws. On Monday, those two wireless giants both said they no longer detected any Salt Typhoon presence on their networks.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. By clicking the button, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters
Newsletter Pointer

About Kate Irwin

Reporter

I’m a reporter for PCMag covering tech news early in the morning. Prior to joining PCMag, I was a producer and reporter at Decrypt and launched its gaming vertical, GG. I have previously written for Input, Game Rant, Dot Esports, and other places, covering a range of gaming, tech, crypto, and entertainment news.

Read Kate's full bio

Read the latest from Kate Irwin