Access to the sources linked in this article is available via Exovera’s exoINSIGHT platform. If you don’t have a subscription, we would be happy to provide you with a free trial account. Be sure to use exoINSIGHT’s translation option if you’d like to read the Chinese sources in English.
Chinese state-backed hackers have targeted U.S. communications infrastructure, as recently as December 2024, in preparation for potentially disruptive future cyberattacks. Exovera’s research using exoINSIGHT uncovers the hacking groups’ connections to China’s military and public and state security ministries.
- Integrity Technology Group: Analysis of cybersecurity company Integrity Technology Group, which serves as a cover for Chinese hacking group Flax Typhoon, reveals ties to China’s Ministry of Public Security and People’s Liberation Army.
- Chinese firm I-SOON: Analysis of hacking group I-SOON indicates that it is a civil-military fusion enterprise that supports China’s research and production of weapons and equipment.
Introduction
Earlier this year, U.S. intelligence officials reported that Chinese government-backed hackers had infiltrated critical U.S. infrastructure networks. The hackers are skilled at evading detection and gaining long-term access, laying the groundwork for data theft, system disruption, and even complete system compromise. Their goal, according to FBI Director Christopher Wray, is to lay the groundwork for potentially destructive cyberattacks if or when China decides to strike.
State-sponsored Chinese hacking groups Volt Typhoon and Flax Typhoon have targeted and compromised U.S. cyber equipment as part of a concerted effort to infiltrate U.S. critical infrastructure. The United States successfully disrupted two attacks by the hacking groups this year. However, a third group, Salt Typhoon, breached several U.S. telecom and internet providers in October and potentially gained access to data and systems related to U.S. wiretapping activities. Salt Typhoon even targeted the phones of former President Donald Trump and Biden administration officials. The hacking groups remain a persistent threat to critical U.S. infrastructure.
Flax Typhoon
Flax Typhoon (also known as RedJuliett and Ethereal Panda), has been operating under the cover of a Beijing-based cybersecurity company, Integrity Technology Group (Integrity Tech, 永信至诚科技集团股份有限公司), since mid-2021. In September, FBI Director Wray said Flax Typhoon’s goal is to invade U.S. water treatment plants, power grids, and transportation systems by infecting a variety of consumer devices to establish a large botnet. The FBI said that the group is supported by the Chinese government.
ExoINSIGHT corporate records indicate that Integrity Technology Group was registered in 2010. Its largest shareholder is the company’s chairman Cai Jingjing (蔡晶晶). Corporate records indicate that Integrity Technology Group is a professional network security company that develops cybersecurity products and services for the Chinese government and enterprises. The firm offers a domestic cybersecurity education platform and cybersecurity training, events, and drills. In October 2023, Integrity Technology Group hosted a national cyberattack and defense competition in Shanghai to strengthen cybersecurity talent training and technological innovation in China.
Integrity Technology Group’s website states that it is a cybersecurity and data security company that provides government and commercial users with digital security testing and evaluation systems, security management products and tools, and security protection services. The company also provides security products integrating its offensive and defensive cybersecurity technology. Integrity Technology Group reports that it has provided cybercrime intelligence collection and reconnaissance services for China’s national, provincial, and municipal institutions for several years, helping to solve a large number of cybercrime cases. The company has participated in the Ministry of Public Security’s (MPS, 公安部) national cybersecurity attack and defense exercises since 2016 and won first place three years in a row.
Integrity Technology Group led a project on cloud-based parallel simulation to support network security services such as testing, drills, training, deduction, judgment, command, defense, and combat in cyberspace. The project was jointly completed with the People’s Liberation Army (PLA, 解放军), Beijing University of Posts and Communication (北京邮电大学), Zhejiang University (浙江大学), and other institutions. Utilizing its cloud platform and parallel simulation technology, the company has supported hundreds of security drills hosted by MPS, Office of the Central Cyberspace Affairs Commission (中央网络安全和信息化委员会办公室), Ministry of Industry and Information Technology (工业和信息化部), Ministry of Science and Technology (科学技术部), Ministry of Education (教育部), National Health Commission (国家卫生健康委员会), and State Taxation Administration (国家税务总局).
In September 2024, the U.S. government reported that it had disrupted a Flax Typhoon botnet made up of hundreds of thousands of internet-connected devices. U.S. officials said that the botnet was used to conduct malicious cyber activity disguised as routine internet traffic from infected consumer devices, enabling other Chinese groups to hack into networks in the United States and around the world to steal information and hold critical infrastructure at risk. Integrity Technology Group used China Unicom Beijing Province Network IP addresses to control and manage the botnet and access other operational infrastructure used in computer intrusion activities against the United States.
I-SOON
A private Chinese cybersecurity firm I-SOON (安洵信息技术有限公司) has conducted surveillance and cyberattacks in China and around the world. Documents leaked in February 2024 on Github showed some of I-SOON’s biggest customers were local and provincial-level bureaus of the PLA, MPS, and Ministry of State Security (MSS, 国家安全部).ᵃ In the leaked I-SOON contract list, 66 of the 120 contracts served various public security bureaus; 22 contracts served state security agencies; one contract served the PLA; and the remaining 31 contracts served other government agencies, research institutes, and state-owned enterprises. I-SOON also worked with Chinese universities by hosting hacking competitions and offering training courses. In the leaked documents, I-SOON appeared to pitch and sell its services to local law enforcement agencies across China, potentially to help target ethnic minorities.
According to exoINSIGHT records, I-SOON was established in 2010 in Shanghai, and its chairman Wu Haibo (吴海波) is also the company’s majority shareholder. The company has branches, subsidiaries, and offices across Sichuan, Jiangsu, Yunnan, and Zhejiang provinces, and its business scope covers 32 provinces, municipalities, and autonomous regions in China. For many years, I-SOON has provided a wide range of cybersecurity products and solutions for the government, finance, and transportation sectors. I-SOON also offers skills training courses and support for law enforcement agencies to combat data breaches and ransomware attacks, including a cyberattack and defense training platform.
I-SOON states that it aspires to become a national defense reserve force with a strong sense of political responsibility to the Chinese Communist Party. As a civil-military fusion enterprise, I-SOON was listed in the Ministry of State Security’s designated supplier directory in 2017 and selected as one of the first installation units by the Ministry of Public Security’s Cybersecurity Protection Bureau in 2019. In 2020, I-SOON obtained the military industry’s second-level confidentiality qualification for weapons and equipment research and production unit.
Implications
Advanced groups of Chinese hackers have taken aim at critical U.S. infrastructure networks, including military, communications, energy, and transportation systems. The hackers’ “living off the land technique” enables them to control a targeted system and go undetected for long periods of time. Such attacks can result in the loss of sensitive information, system disruption, and even complete system compromise. By gaining access to these critical systems, the hackers are pre-positioned to potentially wreak havoc in the event of a conflict over Taiwan, for example.
ExoINSIGHT records point to Integrity Technology Group and I-SOON’s ties to China’s military and state security establishment. These companies and contractors play a significant role in facilitating and executing many of China’s offensive operations in the cyber domain. Although the United States has become more adept at disrupting and dismantling these groups’ attacks, the Chinese government supplies the hacker groups with necessary talent and technology to sustain their ongoing efforts to target U.S. critical infrastructure. Therefore, the United States should remain vigilant about the potential for Chinese hackers to carry out devastating attacks in the future.
ᵃ The repository was originally available at https://github.com/mttaggart/I-S00N but was disabled by Github.
