{ "id": "879b7d60-2b44-493a-9d1b-159b07cb8eeb", "created_at": "2026-04-06T00:13:09.866672Z", "updated_at": "2026-04-10T13:13:08.985271Z", "deleted_at": null, "sha1_hash": "689943b5bfe46cd6760ab71ba49903b98e886278", "title": "Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46137, "plain_text": "Treasury Sanctions Company Associated with Salt Typhoon and\r\nHacker Associated with Treasury Compromise\r\nPublished: 2026-02-13 · Archived: 2026-04-05 19:24:26 UTC\r\nWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is\r\nsanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the\r\nTreasury network compromise. Additionally, OFAC is sanctioning Sichuan Juxinhe Network Technology Co.,\r\nLTD., a Sichuan-based cybersecurity company with direct involvement in the Salt Typhoon cyber group, which\r\nrecently compromised the network infrastructure of multiple major U.S. telecommunication and internet service\r\nprovider companies. People’s Republic of China-linked (PRC) malicious cyber actors continue to target U.S.\r\ngovernment systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as\r\nsensitive U.S. critical infrastructure. As highlighted in the most recent Office of the Director of National\r\nIntelligence Annual Threat Assessment, Chinese state-backed cyber actors continue to present some of the greatest\r\nand most persistent threats to U.S. national security.\r\n“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who\r\ntarget the American people, our companies, and the United States government, including those who have targeted\r\nthe Treasury Department specifically,” said Deputy Secretary of the Treasury Adewale O. Adeyemo.\r\nThis designation follows a series of recent Treasury sanctions actions aimed at combatting increasingly reckless\r\ncyber activity by the PRC and PRC-based actors, including the January 3, 2025 designation of Integrity\r\nTechnology Group, Inc. for its role in Flax Typhoon malicious cyber activity, the December 10, 2024 designation\r\nof Sichuan Silence Information Technology Company, Ltd. and one of its employees for dangerous firewall\r\ncompromises, and the March 25, 2024 designation of Wuhan Xiaoruizhi Science and Technology Company, Ltd.\r\nand two of its employees as Advanced Persistent Threat (APT) 31 malicious cyber actors. These all represent\r\ndangerous cyber activities directed at the United States, its partners, and allies.\r\nThe U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for\r\ninformation leading to the identification or location of any person who, while acting at the direction or under the\r\ncontrol of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in\r\nviolation of the Computer Fraud and Abuse Act. More information about this reward offer is located on the\r\nRewards for Justice website.\r\nChinese malicious cyber actor yin kecheng\r\nYin Kecheng has been a cyber actor for over a decade and is affiliated with the People’s Republic of China\r\nMinistry of State Security (MSS). Yin Kecheng was associated with the recent compromise of the Department of\r\nthe Treasury’s Departmental Offices network.\r\nOFAC is designating Yin Kecheng pursuant to Executive Order (E.O.) 13694, as further amended by the new E.O.\r\non Strengthening and Promoting Innovation in the Nation’s Cybersecurity, for being responsible for or complicit\r\nhttps://home.treasury.gov/news/press-releases/jy2792\r\nPage 1 of 3\n\nin, or having engaged in, directly or indirectly, activities related to gaining or attempting to gain unauthorized\r\naccess to a computer or network of computers of a United States person, the United States, a United States ally or\r\npartner or a citizen, national, or entity organized under the laws thereof, where such efforts originate from or are\r\ndirected by persons located, in whole or substantial part, outside the United States and are reasonably likely to\r\nresult in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic\r\nhealth or financial stability of the United States.\r\nChinese malicious cyber group SALT typhoon\r\nSalt Typhoon has been active since at least 2019 and has been responsible for numerous compromises of U.S.\r\ncompanies in the communication sector. Recently, Salt Typhoon compromised the network infrastructure of\r\nmultiple major U.S. telecommunication and internet service provider companies, marking a dramatic escalation in\r\nthe Chinese cyber operations against U.S. critical infrastructure targets. The Salt Typhoon intrusions are one\r\nexample of an increasing number of PRC state-backed malicious cyber activities, which necessitate costly\r\nremediation efforts.   \r\nSichuan Juxinhe Network Technology Co., LTD. (Sichuan Juxinhe) had direct involvement in the exploitation\r\nof these U.S. telecommunication and internet service provider companies. The MSS has maintained strong ties\r\nwith multiple computer network exploitation companies, including Sichuan Juxinhe. \r\nOFAC is designating Sichuan Juxinhe pursuant to E.O. 13694, as further amended by the new E.O. on\r\nStrengthening and Promoting Innovation in the Nation’s Cybersecurity, for being responsible for or complicit in,\r\nor having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons\r\nlocated, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have\r\nmaterially contributed to, a threat to the national security, foreign policy, or economic health or financial stability\r\nof the United States and that have the purpose or effect of harming, or otherwise compromising the provision of\r\nservices by, a computer or network of computers that support one or more entities in a critical infrastructure sector.\r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, all property and interests in property of the designated persons described above that\r\nare in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.\r\nIn addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more\r\nby one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by\r\nOFAC or exempt, U.S. sanctions generally prohibit all transactions by U.S. persons or within (or transiting) the\r\nUnited States that involve any property or interests in property of designated or otherwise blocked persons.\r\nViolations of U.S. sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons.\r\nOFAC may impose civil penalties for sanctions violations on a strict liability basis. OFAC’s Economic Sanctions\r\nEnforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions. In\r\naddition, financial institutions and other persons may risk exposure to sanctions for engaging in certain\r\ntransactions or activities with designated or otherwise blocked persons.  \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe Specially Designated Nationals and Blocked Persons (SDN) List, but also from its willingness to remove\r\nhttps://home.treasury.gov/news/press-releases/jy2792\r\nPage 2 of 3\n\npersons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring\r\nabout a positive change in behavior. For information concerning the process for seeking removal from an OFAC\r\nlist, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information\r\non the process to submit a request for removal from an OFAC sanctions list, please click here.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2792\r\nhttps://home.treasury.gov/news/press-releases/jy2792\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://home.treasury.gov/news/press-releases/jy2792" ], "report_names": [ "jy2792" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434389, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/689943b5bfe46cd6760ab71ba49903b98e886278.pdf", "text": "https://archive.orkl.eu/689943b5bfe46cd6760ab71ba49903b98e886278.txt", "img": "https://archive.orkl.eu/689943b5bfe46cd6760ab71ba49903b98e886278.jpg" } }