Introduction
In December 2024 [2] [8] [9], a significant cyberattack orchestrated by Chinese state-backed hackers targeted multiple offices within the US Treasury Department. This breach, attributed to a China-based Advanced Persistent Threat (APT) actor [3] [4] [8], aimed to access sensitive information related to US financial sanctions against Chinese organizations.
Description
Chinese state-backed hackers [1] [3] [5] [9], identified as a China-based Advanced Persistent Threat (APT) actor [3] [8], compromised multiple offices within the US Treasury Department during a significant cyberattack in December 2024. The breach, reported on December 8 [2] [5], specifically targeted the Office of Foreign Assets Control (OFAC) [1] [2] [4] [8], the Office of Financial Research [1] [2] [4] [6] [7] [8], and the office of US Treasury Secretary Janet Yellen [6] [7] [8], aiming to access unclassified documents and information regarding Chinese organizations potentially facing US financial sanctions. The US frequently imposes such sanctions as part of its foreign policy, and officials noted that the Chinese government is particularly interested in information about potential future sanctions against entities in China [8].
The attack involved exploiting a vulnerability in the third-party cybersecurity vendor BeyondTrust, which provides remote technical support and identity management software. The hackers gained unauthorized access to a security key associated with a cloud-based service, allowing them to bypass security measures and remotely access employee workstations and sensitive documents. Although the hackers only stole unclassified data [4], they potentially acquired sensitive information regarding sanction targets and evidence related to ongoing investigations [4].
Following the discovery of the breach, the Treasury classified the incident as a major cybersecurity event and collaborated with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI [1] [4] [5] [8], and third-party security specialists to investigate its impact [5]. BeyondTrust has since taken the affected service offline to prevent further access to Treasury information [5]. Currently, there is no evidence that the attackers have maintained access to Treasury information [1]. This incident is part of a broader pattern of cyberattacks on US government agencies linked to Chinese-sponsored threat actors [5], including the group Salt Typhoon [5], which has targeted critical infrastructure sectors globally [5]. The Treasury confirmed the incident in a letter to the Senate Committee on Banking [9], Housing and Urban Affairs [9], dated December 30, 2024 [9]. In response to the allegations [4], Chinese officials dismissed claims of involvement in the Treasury attack as “groundless” and characterized them as a smear against Beijing.
Conclusion
The cyberattack on the US Treasury Department underscores the persistent threat posed by state-sponsored hackers and highlights vulnerabilities in third-party cybersecurity services. The incident prompted immediate mitigation efforts, including collaboration with federal agencies and cybersecurity experts, to prevent further breaches. Moving forward, this event may influence US cybersecurity policies and international relations, particularly concerning sanctions and diplomatic engagements with China.
References
[1] https://www.itpro.com/security/cyber-attacks/chinese-threat-actors-breached-the-us-treasury-in-major-incident-heres-what-you-need-to-know
[2] https://techcrunch.com/2025/01/02/chinese-government-hackers-reportedly-targeted-us-treasurys-sanctions-office-during-december-cyberattack/
[3] https://www.aljazeera.com/news/2025/1/1/us-treasury-hacked-are-china-and-the-us-stepping-up-their-cyberwar
[4] https://www.engadget.com/cybersecurity/china-linked-attack-on-us-treasury-department-reportedly-targeted-its-sanctions-office-150033082.html
[5] https://www.techrepublic.com/article/us-treasury-data-breach-china/
[6] https://www.yahoo.com/news/us-treasurys-sanctions-office-hacked-000131001.html
[7] https://www.cnbc.com/2025/01/02/chinese-hack-of-us-treasury-breached-sanctions-office-washington-post-says.html
[8] https://www.crn.com/news/security/2024/5-things-to-know-on-the-major-us-treasury-department-hack
[9] https://www.infosecurity-magazine.com/news/us-treasury-computers-china-supply/
