Integrity Typhoon
Welcome to Memetic Warfare.
The story of the week is the hack of the Treasury’s intelligence wing, OFAC (Office of Foreign Asset Control) and the office of Financial Research by, apparently, Chinese nation-state affiliated hackers.
Do we have IoCs or other information to pivot? No, or not yet at least as of the time of publication. Will we ever get any, or will it be a Volt/Salt/Flax Typhoon scenario in which we never get any concrete information and IoCs? I’m hoping not, but that seems to be likely.
Check out an archived version of the Washington Post’s coverage of it here and an available, more updated article here.
OFAC is an interesting organization to anyone, to say the least, and its sanctions have led to many a blog post here at Memetic Warfare.
As an aside, OFAC sanctions are often a fantastic starting point for anyone looking to improve their investigation skills, and often include information that’s useful for pivoting on with breached data platforms, like passport number, national ID and so on.
OFAC is an interesting target also, in that it fuses unclassified (as in open-source) data alongside closed-source data from law enforcement and intelligence agencies in order to reach a conclusion about designating a certain individual or entity as sanctioned.
Apparently, only unclassified workstations and data were compromised as part of the hack, as classified (closed-source) information is stored on a separate network. That’s not to say that there couldn’t be useful or interesting information in the unclassified workstations:
Targeting OFAC makes a ton of sense for China.
They could be concerned about or interested in:
Upcoming sanctions on Chinese military/intelligence/cyber entities
Information related to tariffs that may be implemented in the next administration
Intelligence collection tradecraft and sanctions designation workflows
American awareness of specific Chinese entities, even if not for sanctioning
And of course general intelligence collection on a myriad of other topics.
There’s also a fair amount of potential here for Chinese IO.
With the information acquired, China could:
Create convincing forgeries
Leak data either as is or with subtle changes/forgeries inserted
Use any relevant content for their own IO (anything for example that could be embarrassing to any adversary of China, not just the US)
China doesn’t have much of a history of carrying out high-level hack and leaks (yet), but the potential exists.
This story is still developing, so I’ll keep tabs on it to see if anything noteworthy pops up.
The next piece of OFAC-related news is their sanctioning of Integrity Technology group, a provider apparently supporting Flax Typhoon.
Integrity ran a huge botnet for Flax Typhoon for DDoSing or other operations:
They apparently popped a “California-based entity” - wish we had more information.
There isn’t any really new or interesting information regarding the company as well, but maybe we’ll see some more interesting stuff soon.
If you’re interested in more information on Integrity, check out Natto Team’s excellent (as always) coverage of Integrity and its relations with i-Soon and other Chinese cyber actors.
We’ll conclude with a quick look at two articles that I focus on two topics worth diving into:
Team Cymru’s look at Virtual Offices and how they enable shell companies, and thus illicit hosting services/cybercrime, is available here - check it out!
SOCRadar’s coverage of Telegram hacktivist groups, a topic near and dear to my heart.
That’s it for this week!