Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Avatar

The U.S. has accused a company listed on the Shanghai stock exchange of being directly involved in China’s state-sponsored hacking activities.

Integrity Technology Group (Integrity Tech), also known as Yongxin Zhicheng, is a cybersecurity business named on Wednesday morning by FBI Director Christopher Wray as responsible for running a botnet associated with the hacking group tracked as Flax Typhoon.

A joint cybersecurity advisory, published following Wray’s statements at the Aspen Cyber Summit, accused the company of compromising hundreds of thousands of internet of things (IoT) devices dating back to 2021 — with a MySQL database for controlling the botnet containing over 1.2 million records of compromised devices.

According to the advisory, Integrity Tech’s botnet had infected more than 260,000 machines as of June. It was also seen to be using the same IP addresses to control its botnet that were being used in other incidents to access “operational infrastructure employed in computer intrusion activities against U.S. victims.”

The FBI stated it had engaged with multiple of these victims and assessed that the compromises were consistent with the tactics, techniques and infrastructure associated with Flax Typhoon, a threat group previously observed conducting espionage on organizations in Taiwan.

Wray described Flax Typhoon as targeting “everyone from corporations and media organizations to universities and government agencies,” adding that about half of the hijacked devices in its botnet were located in the United States.

Eugenio Benincasa, a senior cyberdefense researcher at the Center for Security Studies at ETH Zurich, told Recorded Future News that the Beijing-based cybersecurity company was already known to be affiliated with China’s intelligence agencies.

In particular, Integrity Tech is one of the organizers of the Matrix Cup, a Chinese hacking competition playing a major role within the country’s talent identification and development ecosystem.

In research co-authored with Natto Thoughts and published earlier this year, Benincasa detailed how the Matrix Cup works to cultivate domestic hacking talent and expand the access of China’s intelligence agencies to critical vulnerabilities.

According to a report by researcher Dakota Cary, published by the Center for Security and Emerging Technology at Georgetown University, Integrity Group is also the leading firm developing China’s cyber ranges — another critical part of the country’s talent development pipeline — and has been praised in the Ministry of State Security’s magazine.

“That this company, which is at the base of this ecosystem, is at the same time engaged in state-sponsored activities, I think is very telling,” said Benincasa.

The allegation is the latest regarding the involvement of Chinese commercial entities with the country’s state-sponsored hacking activities, following an indictment naming the Boyusec in 2017

However, the alleged involvement of a company of the size of Integrity Group is unprecedented. Its listing on the Shanghai stock exchange states it has a market capitalization of around $318 million, and revenues of roughly $56 million.

The company’s official documents describe it as selling legitimate network security products — although apparently exclusively to Chinese customers — and employing 498 staff as of the end of 2023, almost half of whom work in its technology section.

Nation-stateIndustryNewsChinaTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

US agencies say Iran offered hacked Trump docs to Democrats but was ignored

Next Post

North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Related Posts

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks
Avatar
Read More