China-Linked Cyber Threat Group Hacks US Treasury Department

A Chinese-state-sponsored cyberattack compromised the U.S. Treasury, gaining access to classified documents through a vulnerability through third-party cybersecurity provider BeyondTrust. The breach, revealed on Dec. 31, underscores the growing sophistication of state-backed cyber espionage efforts.

“Treasury takes very seriously all threats against our systems, and the data it holds,” a department spokesperson said in a statement. “Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors.”

Threat actors stole a key to BeyondTrust

BeyondTrust reported the breach to the Treasury Department on Dec. 8. The Treasury, in turn, reported the attack to the Cybersecurity and Infrastructure Agency and the FBI.

Representatives of the Chinese government told reporters the nation was not responsible for the breach. A spokesperson for the Chinese Embassy in Washington told Reuters attributions of nation-state-sponsored threat actors to China were “smear attacks against China without any factual basis.”

The breach occurred after “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” according to a letter from treasury officials acquired by Reuters.

What types of documents were exploited?

According to the BBC, targeted documents included:

• Information about President-elect Donald Trump and Vice President-elect JD Vance.
• Data related to Vice President Kamala Harris’s 2024 presidential campaign.
• A database of phone numbers subject to law enforcement surveillance.

It is unknown whether this information was specifically targeted or happened to be within the available data.

Since the attack, the Treasury has worked with third-party security specialists, the intelligence community, the FBI, and CISA to investigate. The Treasury identified the cyber threat as an Advanced Persistent Threat actor, which NIST defines as a “sophisticated” adversary using multiple tactics to gain continuous access to its target.

According to the letter from the Treasury, BeyondTrust took the affected service offline. This strategy blocked the threat actors’ access to the department’s information.

As the Washington Post highlighted, the Treasury plays a key role in economic sanctions, which President-elect Trump may leverage against Chinese goods.

“The uptick in Chinese cyberattacks on U.S. infrastructure reflects broader strategic priorities, including countering U.S. influence, achieving technological dominance and preparing for potential geopolitical confrontations,” James Turgal, VP of global cyber risk and board relations at Optiv and former FBI assistant director of information and technology, said in an email to TechRepublic.

SEE: In early December the US sanctioned Chinese cybersecurity firm Sichuan Silence for alleged involvement in ransomware attacks. 

Salt Typhoon targeted US infrastructure in 2024

The breach of the Treasury was part of a series of attacks on U.S. government agencies and infrastructure in 2024. Many of these incidents have been traced to China-sponsored threat actors, including Salt Typhoon

Active Since 2020, Salt Typhoon has been recognized for its cyber espionage operations that have targeted critical infrastructure sectors globally. The group targeted at least eight US telecommunications companies, including AT&T and Verizon, as well as Cisco and defense contractors.

“The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector,” the FCC wrote in early December.

What does this mean for cybersecurity professionals?

In December, the U.S. government issued security guidance to telecommunications companies attempting to disrupt a pattern of Chinese state-affiliated actors breaching domestic organizations. The guidance suggested that companies use comprehensive alerting mechanisms, leverage network flow monitoring solutions, limit exposure of management traffic to the Internet, and harden various aspects of systems and devices. Specific Cisco devices may call for additional precautions.