Washington’s recent sanctions and indictments paint a clear picture. U.S. authorities have publicly designated multiple China-based firms and individual operators as enablers of state-directed and state-tolerated cyber espionage campaigns that reached into U.S. government networks, critical infrastructure, and private-sector targets. These actions expose a repeatable playbook: private companies, hacker-for-hire operators, and data brokers working together to provide access, concealment, and resale of stolen data.

The Treasury Department’s January 3, 2025 designation of Integrity Technology Group links a Beijing-based firm to a botnet and infrastructure used by the Flax Typhoon intrusion set. According to the Treasury, that infrastructure was used between 2022 and 2023 to route malicious traffic, mask operator origin, and maintain persistent access into victim networks.

Two weeks later and into March, U.S. authorities followed with targeted actions against actors tied to separate but related campaigns. The January 17, 2025 sanctions named Sichuan Juxinhe and the Shanghai-based operator Yin Kecheng for roles supporting the Salt Typhoon activity that compromised telecom providers and, in some instances, U.S. government networks. The March 5, 2025 unsealing of indictments and additional Treasury designations further identified Zhou Shuai and an associated company that brokered and sold access to compromised systems. Together these moves underscore how access brokers and service providers enable large scale espionage.

Operational takeaways are straightforward. First, the threat model is hybrid. State intelligence requirements are being met through a mix of direct operators and commercial intermediaries. The result is plausible deniability for state actors and resilience for the espionage campaign through compartmentalization. Second, attackers exploit the supply chain and trusted tooling. Compromised vendor keys, commodity remote access software, and compromised consumer devices have all played roles in these incidents. Third, the monetization layer matters. Data brokers and resellers convert stolen access and data into cash or intelligence for state and nonstate customers.

What sanctions buy and what they do not is worth stating plainly. Sanctions freeze assets in U.S. jurisdiction, cut companies off from U.S. financial services, and raise the cost of doing business internationally. They also create stigma and complicate third party relationships for the designated entities. But sanctions alone will not remove the technical access already embedded in networks, nor will they eliminate entities that operate primarily inside China with limited reliance on the U.S. financial system. In short, sanctions are a necessary tool, not a silver bullet.

Defensive priorities flow directly from the threat profile. Organizations that operate critical infrastructure and hold sensitive datasets must assume adversaries can gain persistent access through service providers and commodity devices. Practical steps include strict vendor risk management, microsegmentation, multi factor authentication, zero trust network architecture for critical services, rapid rotation of privileged credentials, and focused detection capabilities for lateral movement patterns associated with botnet command and control. Public sector partners must push timely, tactical indicators and mitigations to industry and be candid about the limits of attribution.

Policy and law enforcement must tighten the seams. That means tougher export and procurement controls for high risk tooling, stronger oversight and review of foreign-linked vendors in critical sectors, and international cooperation that targets the entire enabling ecosystem: operators, infrastructure hosts, money launderers, and data brokers. Rewards and criminal charges have a role in disrupting the human operators, but the U.S. and allies must also harden the technical avenues the operators exploit. The recent reward offers and indictments demonstrate that multilayered pressure can raise the cost of operations for adversaries.

Final assessment. The pattern exposed by the sanctions is not a one off. China’s intelligence services are leveraging a mixture of commercial firms and freelance operators to conduct espionage at scale while retaining plausible deniability. U.S. response to date is calibrated and substantive, but defenders cannot outsource resilience to sanctions and indictments alone. Expect more designation and criminal actions. Prepare accordingly by treating third party services as potential attack vectors and by investing in the basic, hard work of detection, segmentation, and rapid response.