The China-based hackers allegedly responsible for breaches of the Treasury Department and at least nine telecommunications companies have been sanctioned by the U.S. government following new revelations about both campaigns.

The Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Yin Kecheng — “a Shanghai-based cyber actor” allegedly involved in the attack on the Treasury Department — as well as Chinese cybersecurity firm Sichuan Juxinhe Network Technology.

The office also singled out Sichuan Juxinhe Network Technology, saying it had “direct involvement in the Salt Typhoon cyber group” responsible for the breach of telecommunication companies and internet service providers. 

The sanctions come after Bloomberg News reported on Thursday evening that the hackers behind the Treasury cyberattack accessed computers used by Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo and acting Undersecretary Brad Smith. 

At least 50 files on Yellen’s computer were accessed as well as data on sanctions, the report said, but the hackers were not able to break into the department’s email system or classified documents. 

In total, investigators believe 400 laptop and desktop machines were breached, allowing access to employee usernames and passwords as well as more than 3,000 files on unclassified personal devices, according to a Treasury report seen by Bloomberg. 

On Friday, Treasury officials said Kecheng is affiliated with the PRC’s Ministry of State Security (MSS) and has been a hacker for more than a decade. The U.S. State Department is offering a reward of $10 million for information on his whereabouts. 

He was sanctioned as part of a new authority handed down this week through an executive order that has expanded the federal government’s ability to financially penalize a wider array of cyber actors and companies. 

Adeyemo wrote an op-ed in Bloomberg on Friday saying Kecheng breached Treasury computers “through a third-party service provider despite the hundreds of millions of dollars invested in security after the Solar Winds cyberattack in 2020.”

Adeyemo outlined several initiatives the department has kickstarted in an effort to better protect its own systems as well as those used by the broader financial industry. 

“The department is coordinating across government, working closely with US Cyber Command and other federal agencies to better target global cyberthreats. Illicit actors should know that the US will find them, expose their schemes, and dismantle their operations if they target our financial system,” he said. 

He urged Congress to give the Treasury Department broader oversight powers of third-party providers to the financial sector, arguing that they “are often not held to the same standards banks must meet, leaving the system vulnerable to attacks like the one Treasury recently faced.”

The op-ed also calls for legislation protecting cyberthreat information shared by financial institutions with the government from disclosure, arguing that the protection is needed “in order to ensure adversaries don’t have blueprints for future attacks.” 

Salt Typhoon sanctions

The Treasury Department said Sichuan Juxinhe Network Technology has had “direct involvement in the exploitation” of telecommunications companies and has “maintained strong ties” with the Ministry of State Security. 

“People’s Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent targeting of Treasury’s information technology (IT) systems, as well as sensitive U.S. critical infrastructure,” the Treasury Department said in announcing the sanctions. 

The Salt Typhoon campaign — named by researchers at Microsoft — has roiled all levels of the U.S. government as investigators continue to look into the deep access Chinese hackers had into phone data. 

President-elect Donald Trump, his running mate and several members of Vice President Kamala Harris’ entourage had phone information and call data accessed as part of the Salt Typhoon campaign. 

The Treasury Department said Salt Typhoon has compromised “numerous” U.S. companies in the communication sector since 2019 but the most recent campaign against multiple major U.S. telecommunication and internet service provider companies marks “a dramatic escalation in the Chinese cyber operations against U.S. critical infrastructure targets.”

The Federal Communications Commission (FCC) this week reaffirmed rules that require telecommunications carriers to secure their networks from unlawful access or interception of communications. 

The FCC also proposed a new rule requiring communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.

“Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern,” said FCC Chairwoman Jessica Rosenworcel.

“It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed.”

The Treasury Department noted that the recent actions come after several sanctions of Chinese companies and government-affiliated actors related to hacking campaigns. 

Over the past year, the Treasury Department sanctioned prominent Chinese cybersecurity firm Sichuan Silence Information Technology, Integrity Technology Group and Wuhan Xiaoruizhi Science and Technology for their role in assisting the Chinese government in various cyber campaigns against U.S. government agencies and companies.