A group of Chinese government-linked hackers infiltrated the U.S. Department of the Treasury, gaining access to 419 computers belonging to employees and executives involved in sanctions enforcement, international affairs, and intelligence operations. This revelation comes from a departmental report reviewed by Bloomberg News.
The attackers compromised user accounts and accessed over 3,000 files stored on unclassified personal computers. Among the stolen information were documents related to policy matters, travel itineraries, organizational charts, sanctions enforcement, foreign investments, and materials marked “For Official Use Only.” However, there is no evidence of breaches involving classified systems or the department’s email accounts.
The hackers also obtained investigative materials from the Committee on Foreign Investment in the United States (CFIUS), which assesses national security risks in real estate transactions and foreign investments. The report confirms the attack was linked to the Chinese hacking group Silk Typhoon (UNC5221). The perpetrators operated outside regular working hours to evade detection.
According to the department, the intrusion occurred between late September and mid-November. The cybercriminals demonstrated particular interest in the Office of Foreign Assets Control, the Office of International Affairs, and the Office of Intelligence and Analysis. They specifically targeted senior officials and managed to access employees’ personal financial records, including banking and insurance information.
The department promptly alerted CISA upon confirming the incident and subsequently involved the FBI and other agencies in the investigation. While there is no evidence suggesting a prolonged presence of the hackers within the systems, the investigation remains ongoing, focusing on assessing the damage incurred.
The breach originated through the networks of contractor BeyondTrust, which has since been disconnected from the system. BeyondTrust held federal contracts valued at over $4 million. The department is now considering replacing the contractor, despite the absence of direct evidence of security shortcomings on BeyondTrust’s part.
Notably, in December, CISA added a critical vulnerability in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities (KEV) catalog. This flaw has already been exploited by malicious actors. It remains unclear whether this vulnerability served as the vector for the Treasury breach. The investigation continues.
