China-Linked Cyber Threat Group Hacks US Treasury Department

A Chinese government-sponsored cyber attack compromised the U.S. Treasury Department and obtained confidential documents through a vulnerability in third-party cybersecurity vendor BeyondTrust. The leak, disclosed on December 31, highlights the growing sophistication of state-sponsored cyber espionage.

“Treasury takes all threats to our systems and the data they hold very seriously,” a Treasury spokesman said in a statement. “Over the past four years, Treasury has significantly strengthened its cyber defenses, and we will continue to work with private and public sector partners to protect our financial system from threat actors.”

Threat actors stole BeyondTrust keys

BeyondTrust reported the attack to the Treasury Department on December 8.

Chinese government representatives told reporters that China was not responsible for the leak. A spokesperson for the Chinese Embassy in Washington told Reuters that blaming China by nation-state-backed threat actors was a “smear attack on China without any factual basis.”

The breach reportedly occurred after “threat actors gained access to keys used by a vendor to secure cloud-based services for the Office of the Treasury (DO) Provide remote technical support to end users.” a letter Treasury official from Reuters acquisition.

What types of files are exploited?

according to British Broadcasting Corporationthe target files include:

• Information about President-elect Donald Trump and Vice President-elect J.D. Vance.
• Data related to Vice President Kamala Harris’ 2024 presidential campaign.
• Database of phone numbers monitored by law enforcement.

It’s unclear whether this information was specifically targeted or happened to be within the available data.

Since the attack, the Treasury Department has worked with third-party security experts, the intelligence community, the FBI and CISA on the investigation. The Ministry of Finance has confirmed cyber threats As an advanced persistent threat actor, NIST definition As a “sophisticated” opponent, use a variety of strategies to stay close to its target.

BeyondTrust has taken the affected services offline, according to the Treasury Department letter. This policy prevents threat actors from accessing the department’s information.

as The Washington Post highlightsThe Treasury Department plays a key role in economic sanctions, which President-elect Trump may use to target Chinese goods.

James Turgal, vice president of global cyber risk and board relations at Optiv and a former FBI assistant director for information, said: “The increase in Chinese cyberattacks on U.S. infrastructure reflects broader strategic priorities, including countering U.S. influence. capabilities, achieve technological dominance, and prepare for potential geopolitical confrontations.

See: US sanctions against China in early December Cyber ​​Security Company Sichuan remains silent over alleged involvement in ransomware attacks.

Typhoon Yan will hit US infrastructure in 2024

The Treasury Department intrusion was part of a series of attacks targeting U.S. government agencies and infrastructure in 2024. China-sponsored threat actorsincluding Typhoon Yan

Salt Typhoon has been active since 2020 and is recognized for its cyber espionage operations targeting critical infrastructure sectors around the world. target group at least eight U.S. telecommunications companies, including AT&T and Verizon, as well as Cisco and defense contractors.

“This attack highlights the urgent need for a strong cybersecurity framework to protect against escalating threats targeting the telecommunications industry,” the FCC wrote in early December.

What does this mean for cybersecurity professionals?

In December, the U.S. government released Safety guidance Telecommunications companies seek to disrupt a pattern of Chinese state actors disrupting domestic organizations. The guidance recommends that companies use comprehensive alerting mechanisms, utilize network traffic monitoring solutions, limit the exposure of management traffic to the Internet, and harden all aspects of systems and equipment. Certain Cisco equipment may require additional precautions.