Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON

On September 18, 2024, US and allied government agencies released a Joint Cyber Security Advisory (joint advisory) announcing the exposure and takedown of a China-linked botnet that had used thousands of compromised routers and Internet of Things (IoT) devices for malicious cyber activity. The joint advisory stated that a Chinese information security company, Integrity Technology Group (Integrity Tech) “has controlled and managed a botnet active since mid-2021….As of June 2024, the botnet consisted of over 260,000 devices,” with victim devices observed in North America, South America, Europe, Africa, Southeast Asia and Australia. The attribution section of the joint advisory stated that Integrity Technology has “links to the PRC government” and that the intrusions and activity linked to the botnet are “consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.” In an unsealed US search and seizure warrant about the botnet case, an FBI cyber investigator assessed that “Integrity Technology Group is….responsible, at least in part, for the computer intrusion activities collectively attributed to Flax Typhoon.”

So, Integrity Tech is one of the companies behind Flax Typhoon! The quick and clear attribution in the joint advisory is unsurprising but thought-provoking. This was the second time in 2024 that the US Department of Justice (US DoJ) led the disruption of a botnet used by Chinese threat actors. The first time, in January 2024, the US DoJ disrupted the Chinese threat group Volt Typhoon’s botnet. As of this writing, it has not attributed Volt Typhoon to a specific real-world entity beyond saying it is sponsored by the Chinese government.

A US search and seizure warrant issued September 9 2024 states, “Flax Typhoon and the MIRAI-based botnet are associated with Integrity Technology Group.” Source: US Department of Justice

Subscribe now

Integrity Tech: That Company Name Sounds Familiar… in the i-SOON Leaks

Integrity Technology Group, (a.k.a Yongxin Zhicheng; in Chinese北京永信至诚科技有限公司), established in 2010, became a public company listed on the Shanghai Stock exchange in 2022. It claims to have received a “national-level ‘small giant’ company” award;1 to have “achieved specialization, refinement, distinctive growth, strong innovation ability and high quality and efficiency;” and to be “a leader in cyber security testing and evaluation, cyber range and talent development,” according to the company’s webpage. The company’s core business is the cyber range series of products. Cyber ranges, according to the US National Institute of Standards and Technology (NIST), “are interactive and simulated platforms that replicate networks, systems, tools, and applications.” (For more on Integrity Tech’s position as one of China’s cyber range vendors, see this research by researcher Dakota Cary.) With close to 500 employees, Integrity Tech has a market capitalization of around US$331 million, and revenues of roughly $56 million in 2023, according to Google Finance. In the first half of 2024, the company’s net profit increased 18.48 percent compared to the same period last year. However, that net profit was still negative by about US$2.6 million, according to its recent financial report. Integrity Technology was still in the red.

Statistics aside, the Natto Team’s own research found something striking but not surprising. In the famous leak of data from Chinese information security company i-SOON – a company that the Natto Team was among the first to identify publicly as linked with Chinese state threat group APT-41 – Integrity Tech’s Chinese-language company short name “永信” (“yongxin”) appeared at least 34 times.2 The i-SOON leaks distinctly indicate that Integrity Tech is one of  i-SOON’s major competitors, particularly in the market for cyber range platforms and in the mysterious business known as “TZ,” which the Natto Team identified as the business of network investigation/reconnaissance products. At the same time, Integrity Tech is also a client of i-SOON, purchasing some i-SOON products. Finally, Integrity Tech is a business partner of i-SOON; the two companies have worked together on government contracts. The intertwined relationship between Integrity Tech and i-SOON further illustrates the intricate network of Chinese information security companies whose everyday business includes participating in state-sponsored hacking activities.

Integrity Tech as i-SOON’s Competitor

In the leaked i-SOON communications, Integrity Tech’s name appeared most often in the chat between i-SOON’s CEO Wu Haibo, aka shutdown or shutd0wn, and the company’s chief operations officer, lengmo. On several occasions, Shutdown and lengmo discussed how to compete with Integrity Tech. In October 2020, Shutdown assessed that Integrity Tech was one of i-SOON’s top three competitors in the “TZ” market.

When Shutdown discussed Integrity Tech’s cyber range platform in August 2020, Shutdown said that “cyber range is the big trend now.” Comparing i-SOON’s offerings with those of Integrity Tech, Shutdown commented that i-SOON’s cyber range platform had better case scenarios, but Integrity Tech’s was better in user interface and platform functions. Shutdown expressed satisfaction that a new deputy director of the Chengdu Municipal Public Security Bureau recommended i-SOON to provide its cyber range platform to Chengdu University of Information Technology (CUIT) for the cost of around US$853,000. Previously CUIT was considering using Integrity Tech’s cyber range platform. Shutdown told lengmo if the CUIT project went well, i-SOON should market its cyber range platform to other universities. “It looks like we are f*cking competing with Integrity Tech directly now,” Shutdown boasted. When Shutdown learned that Integrity Tech received 200 million yuan (US$28.4 million) in financing from a state-owned investment fund, Shutdown showed a little jealousy and wished i-SOON could be valued higher than it was. However, Shutdown proudly said, “we have taken a lot of business from Integrity Security in terms of business with the Public Security Bureaus at all levels. … They almost gave up that part of the market.”

Integrity Tech as i-SOON’s Business Partner

Integrity Tech and i-SOON appear to have worked on several government projects together. In one case, Shutdown told lengmo that an official of the Ministry of Public Security requested a dinner meeting with the CEO’s of i-SOON and Integrity Tech to discuss a cyber training business. Shutdown joked that Integrity Tech seemed to have been designated to pay for dinners with ministry level officials, so “we can save a little. In fact, nobody remembers or appreciates when we even pay for this kind of dinner party.” In another case, Integrity Tech and i-SOON partnered to organize a Capture the Flag competition to train Public Security Bureau officers.

Integrity Tech as i-SOON’s Client

The leaked i-SOON documents suggest that Integrity Tech was a client of i-SOON and purchased at least two products from i-SOON. i-SOON’s contract sheet listed that Integrity Tech purchased the company’s “Windows Forensic System” with 1 year of technical support services. In a chat conversation between Shutdown and lengmo, Shutdown said Integrity Tech would like i-SOON to provide its “Twitter Forensics Control Platform” to them because “we are the only company who has this product. Integrity Tech must have been looking elsewhere, but they couldn’t find it.”

Share

Integrity Tech, a Company with an Unconventional Genius Founder

Various Chinese media depicted Cai Jingjing, the founder of Integrity Tech as a legendary honker (red hacker) and hacking prodigy. Cai, only a high school graduate, made his fame by winning various hacking competitions in the late 1990s and early 2000s. One popular Cai’s biography article named Cai as “the Godfather of Hacking” and his company Integrity Tech as “the Godfather of Hacking’s cyber ranges”. A radio interview said Cai could boast of three “firsts”: the first person in China who discovered Microsoft’s high-risk vulnerabilities; the first millennial to be awarded “National Distinguished Engineer;” and the youngest chairman of a publicly traded company in China’s cyber security industry. Another article reported that he was a patriot too. At the age of 19 Cai refused a high-salary job offer from Microsoft. Instead he joined Venustech Group because the head of Venustech told Cai “We need you to join us in protecting our nation's cybersecurity.” Venustech Group is currently controlled by state-owned enterprise China Mobile and focused on serving Chinese government clients. After 20 years, Cai “is still a ‘white hat hacker’ with patriotic sentiments” and built Integrity Tech to become “the ‘leading goose’ of cyber ranges in China,” the article stated.

After working 13 years for Venustech Group, Cai Jingjing founded Integrity Tech with his colleague Chen Jun, who serves as the CEO of the company. Cai’s launch of Integrity Tech had help from various big names in China’s cybersecurity industry, including Venustech Group, The 360 Group , Qi An Xin and several state-backed investment funds. In November 2020, to prepare for listing the company on Shanghai Stock Market, Integrity Tech received around US$28.4 million in financing from a state-owned investment fund, which made i-SOON’s Shutdown drool. As of September 2024, the top 10 shareholders of Integrity Tech hold a total of 78.75 percent of the company’s shares. Among those shares, Cai Jingjing and the co-founder Chen Jun hold 51 percent of them. Five shareholders of the top 10, which take up a total of 21.8 percent of the shares, have a state background, including a military industry-themed stock securities investment fund backed by China Construction Bank, a major state bank.

Integrity Tech as Flax Typhoon

The attribution from the Joint Advisory and the US court document mentioned above stated that hackers working for Integrity Tech are “responsible, at least in part,” for activities of  threat group Flax Typhoon (a.k.a Ethereal Panda or RedJuliett). In addition to the evidence in those government documents linking Integrity Tech with Flax Typhoon, a look at Integrity Tech’s business development shows additional evidence of alignment with Flax Typhoon’s threat activities.

Flax Typhoon Threat Activity Observed with a Taiwan Focus

At least three companies have reported Flax Typhoon targeting organizations in Taiwan.

In February 2023, CrowdStrike assessed that Ethereal Panda (Flax Typhoon) operations primarily focus on entities in the academic, technology, and telecommunications sectors in Taiwan.

In August 2023, Microsoft reported that Flax Typhoon targeted dozens of government agencies, education, critical manufacturing, and information technology organizations in Taiwan as well. In particular, Flax Typhoon targeted Taiwanese aerospace entities that contract with the Taiwanese military. Microsoft observed that Flax Typhoon relied on legitimate software, such as tools built into the operating system, and benign software to maintain access to victims’ networks.

In June 2024, Recorded Future discovered that Chinese state-sponsored group RedJuliett (Flax Typhoon) targeted government, academic, technology, and diplomatic organizations in Taiwan with cyber espionage activities from November 2023 to April 2024. RedJuliett also expanded its operation, targeting organizations in Hong Kong, Malaysia, Laos, South Korea, the United States, Djibouti, Kenya, and Rwanda. Record Future stated the threat group likely “operates from Fuzhou, China.” As we know, Integrity Tech has an office in Fuzhou Software Park.

Alignment of Integrity Tech’s Business Development Timeline and Flax Typhoon’s Threat Activity Timeline

As an information security company tries to grow in a very competitive Chinese market, Integrity Tech has done well since its establishment in 2010. However, the booming of the company’s business did not happen until a large amount of state-backed financing in late 2020. As previously mentioned, after receiving US$28.4 million from a state-owned investment fund, Integrity Tech’s news release stated that “the state financing to the company was a recognition of the company’s leading position in the areas of cyber range and talent training, and in the field of simulation technology and attack and defense capability.” Yes, indeed, the recognition of Integrity Tech’s capability is likely a direct translation to more business from the state. The Natto Team noticed that private sector reports identified Flax Typhoon’s threat activity starting in mid-2021, about six months after Integrity Tech received a major round of state financing. In the meantime, the i-SOON leaks suggested that Integrity Tech was busy wining and dining with officials from various levels of public security bureaus from 2020 to 2022 to sustain its business growth. The parallel growth of Integrity Tech’s business development and Flax Typhoon’s threat activity suggests threat campaigns are an important part of Integrity Tech’s business.

Flax Typhoon’s Taiwan focuses reminded us of the threat activity of another hot and unattributed Chinese threat group: Volt Typhoon. US government agencies and allied partners assessed that Volt Typhoon’s likely intention was to target strategically important US assets and to prepare for destructive attacks. These assessed goals are a departure from China’s historical focus on cyber espionage for political and economic interests . In contrast, Flax Typhoon’s threat activity remains focused on espionage. Is Flax Typhoon’s work a component of China’s preparation for potential destructive activity? The Natto Team will continue to explore it.

Thanks for reading Natto Thoughts! Subscribe for free to receive new posts and support the Natto Team’s work.

1

“Nation-level ‘Zhuan, Jing, Te, and Xin’ Small Giant Enterprise” (国家转精特新”小巨人”企业) title is awarded to the small and medium-sized enterprises (SMES) that are front-runners focusing on niche markets, with strong innovation capability, high market share, mastery of key core technologies, and excellent quality and efficiency by China’s Ministry of Industry and Information Technology (MIIT)

2

the i-SOON leaks included product marketing white papers, contract logs, compromised data samples, chat logs among employees and clients, screenshots and images related to the company’s business operations from at least 2020 to 2022. For more, see Natto Thoughts postings here, here and here.

Article Link: Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON