On Friday, the U.S. Department of the Treasury announced sanctions against Integrity Technology Group, a Beijing-based cybersecurity firm accused of aiding a state-sponsored hacking collective known as Flax Typhoon.
The hackers allegedly leveraged Integrity Tech’s services and infrastructure to compromise numerous American and international organizations, including targets in critical infrastructure, government agencies, and private companies.
The Treasury’s Office of Foreign Assets Control (OFAC) designated Integrity Tech according to Executive Order (E.O.) 13694, as amended, effectively blocking any of the company’s assets under U.S. jurisdiction.
The sanctions also prohibit American entities and individuals from engaging in transactions with the firm. Moreover, foreign companies that conduct business with Integrity Tech risk being penalized if their transactions involve U.S. markets or financial systems.
Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith underscored the seriousness of the threat, remarking: “The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions.”
He emphasized that the United States will actively use its vast legal and financial tools to disrupt and deter malicious cyber threats.
Flax Typhoon: A Persistent Cyber Threat
Flax Typhoon has been active since at least 2021. Security researchers and U.S. officials say the group is linked to the Chinese government and is known for targeting critical infrastructure both at home and abroad.
While it has reportedly struck North America, Europe, Africa, and Asia, its focus has prominently included U.S. and Taiwanese organizations.
Flax Typhoon exploits publicly known vulnerabilities to gain a foothold, then relies on legitimate remote access tools to maintain an undetected, long-term presence within victim networks.
According to U.S. authorities, the hackers used a variety of tactics to establish and expand their access. These methods included leveraging virtual private network (VPN) software and remote desktop protocols (RDP), enabling them to move laterally within compromised systems.
Between the summer of 2022 and the fall of 2023, they allegedly infiltrated multiple hosts associated with U.S. and European entities.
Treasury officials concluded that, during this same period, Flax Typhoon frequently exchanged information through infrastructure tied to Integrity Tech, effectively using the company’s resources to launch and manage its cyberattacks.
Investigators found that the firm’s infrastructure was integral to the hackers’ operations in multiple intrusions that stole data or caused other cyber disruptions.
In September 2024, in a separate but related incident, U.S. agencies took action to disrupt a botnet designed by Flax Typhoon, seizing control of key servers and effectively dismantling malicious software infecting thousands of networking devices.
Officials say the group has historically demonstrated a capacity to create and exploit large-scale botnets for Distributed Denial of Service (DDoS) attacks and other malicious activities.
National Security Implications
The sanctions come shortly after revelations that the U.S. Treasury Department itself was breached by Chinese threat actors who accessed unclassified information.
These breaches reaffirm officials’ concerns about the persistent nature of Chinese state-sponsored cyber operations against high-value government targets and critical infrastructure.
Authorities have also warned that linked groups—like Volt Typhoon—have previously infiltrated U.S. power grids and other critical systems to position themselves for potential disruptive attack.
Ultimately, the Treasury’s measures aim to send a clear message: organizations found aiding or abetting state-sponsored hacking campaigns will face swift and significant penalties.
“The ultimate goal of sanctions,” OFAC stated, “is not to punish, but to bring about a positive change in behavior”. Whether this move will deter future cyber intrusions remains to be seen, but for now, the government’s firm response underscores the seriousness with which it views ongoing threats from Chinese cyber actors.