Treasury Department sanctions company tied to Salt Typhoon

The U.S. Department of Treasury applied sanctions against an alleged Chinese threat actor and a China-based company following a series of high-profile attacks that compromised several U.S. telecommunications providers and the department itself.

The Treasury Department's Office of Foreign Assets Control (OFAC) announced on Friday sanctions against Yin Kecheng, a Shanghai-based cyber actor, and Sichuan Juxinhe Network Technology Co., a Sichuan-based cybersecurity company. The sanctions follow significant attacks attributed to the People's Republic of China (PRC) that recently affected the critical infrastructure sector.

OFAC said Sichuan Juxinhe was sanctioned for having "direct involvement" with breaches of multiple telecommunication providers, which were committed by the infamous Chinese nation-state group Salt Typhoon to spy on high-value individuals such as government leaders. Affected telecommunication providers included AT&T, Verizon, T-Mobile and Lumen Technologies. The attacks prompted CISA to issue mobile security guidance for high-profile targets.

The department also connected Sichuan Juxinhe to the PRC's Ministry of State Security (MSS). Friday's press release stressed that Salt Typhoon conducts attacks that require "costly remediation efforts." Salt Typhoon, like other Chinese nation-state groups, is known for maintaining persistent access in a victim environment and, according to OFAC, escalating attacks against U.S. critical infrastructure organizations.

Kecheng was allegedly involved with the attack against the Treasury Department last month, according to OFAC. In December, CISA and the FBI confirmed the department was breached through a compromised cloud service at BeyondTrust, a privileged access management vendor. OFAC claimed Kecheng has been a cyber actor for more than a decade and is also affiliated with the MSS.

The sanctions broadly prohibit all transactions with Kecheng and Sichuan Juxinhe by U.S. persons. The Treasury Department is also offering a reward of up to $10 million for any information regarding nation-state threat actors.

Friday's announcement came one day after the Biden administration announced a new cybersecurity executive order that, in part, made it easier for the federal government to apply sanctions to individuals and entities connected to cyber threat activity. The executive order also addressed many concerns, including software supply chain security and AI cyber defenses.

While infosec experts agreed the new sanctions expanded the definitions of what a cyber attack or cybercriminal is, they are unsure whether it will improve the threat landscape. Andrew Borene, executive director of global security at Flashpoint, told Informa TechTarget that the executive order may enhance coordination between federal agencies, but he also cited potential problems.

"Of course, what is not addressed in the order is if sanctions alone serve as an adequate deterrent to China or other rogue cyber actors, like Russia and Iran," Borene said.

Similarly, Gary Barlet, public sector CTO at Illumio, told Informa TechTarget that the sanctions could help if used against countries and possibly some businesses. However, the effect against cybercriminal groups remains to be seen.

"The sanctions most likely won't impact the individual adversary groups involved. We've seen sanctions used over the years against groups, and often this doesn't stop attacks but causes a new type of attack or group. These past examples showcase that although sanctions have some benefits, there are also drawbacks making it uncertain the true value they bring," Barlet said.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.