A cyberattack linked to China compromised the U.S. Treasury Department, exploiting a vulnerability in the third-party cybersecurity provider BeyondTrust to gain unauthorized access to classified documents. This breach was disclosed on December 31, highlighting the increasing complexity of state-sponsored cyber espionage activities.
In a statement, a spokesperson for the department emphasized the gravity of all threats to their systems and sensitive data. They mentioned that over the past four years, the Treasury had significantly enhanced its defense against cyber threats and would continue collaborating with both public and private sector partners to safeguard the financial system against malicious actors.
A Breach in BeyondTrust Security
On December 8, BeyondTrust informed the Treasury Department about the breach. Subsequently, the Treasury reported the incident to the FBI and the Cybersecurity and Infrastructure Agency.
Chinese government representatives denied responsibility for the breach when speaking to the press. A spokesperson for the Chinese Embassy in Washington dismissed the allegations of state-sponsored cyber threats originating from China as baseless attacks aimed at tarnishing China’s reputation.
The breach occurred after a threat actor obtained access to a key used by the vendor to secure a cloud-based service for providing technical assistance to users in Treasury Departmental Offices (DO), as stated in a letter from Treasury officials obtained by Reuters.
What Kinds of Documents Were Compromised?
According to BBC reports, the targeted documents included:
- Details about President-elect Donald Trump and Vice President-elect JD Vance.
- Information related to Vice President Kamala Harris’s 2024 presidential campaign.
- A database containing phone numbers under law enforcement scrutiny.
It remains unclear whether this data was specifically targeted or incidentally accessed.
Post-attack, the Treasury collaborated with external security experts, the intelligence community, the FBI, and CISA for a thorough investigation. The Treasury identified the cyber threat as an Advanced Persistent Threat, which the NIST defines as a sophisticated adversary employing diverse tactics for continuous access to its target.
As per the Treasury’s letter, BeyondTrust deactivated the affected service, effectively preventing the threat actors from reaching the department’s information.
Highlighted by The Washington Post, the Treasury’s role in imposing economic sanctions, especially those President-elect Trump may consider against Chinese products, is crucial.
James Turgal, VP of global cyber risk and board relations at Optiv and a former FBI assistant director of information and technology, conveyed in an email to TechRepublic that the rise in Chinese cyberattacks on U.S. infrastructure aligns with broader strategic objectives to counter U.S. influence, achieve technological superiority, and prepare for potential geopolitical conflicts.
SEE: Recent sanctions by the US against a Chinese cybersecurity company in early December.
Salt Typhoon’s 2024 Assault on US Infrastructure
The Treasury breach was part of a series of attacks on U.S. government institutions and infrastructure in 2024, many of which were traced back to Chinese-sponsored threat actors like Salt Typhoon.
Operating since 2020, Salt Typhoon is known for its cyber espionage activities targeting critical infrastructure sectors worldwide. The group focused on at least eight US telecommunications companies, including AT&T and Verizon, along with firms like Cisco and defense contractors.
Early in December, the FCC emphasized the pressing need for robust cybersecurity frameworks to counter escalating threats against the telecommunications sector.
What Implications Does This Have for Cybersecurity Experts?
In response to a pattern of Chinese state-linked actors breaching domestic organizations, the U.S. government released security guidance for telecommunications companies in December. The recommendations included implementing comprehensive alert systems, utilizing network flow monitoring solutions, restricting management traffic exposure on the Internet, and fortifying system and device security. Specific precautions may be necessary for certain Cisco devices.
About Author
