Chinese State Hackers Breach OFAC in Targeted Treasury Department Cyberattack

As the investigation into the breach of the U.S. Treasury Department continues, the latest update from the Cybersecurity and Infrastructure Security Agency (CISA) and other federal entities provides clarity on the scope and impact of the incident. The breach, attributed to a China state-sponsored Advanced Persistent Threat (APT) actor, exploited a compromised BeyondTrust Remote Support SaaS API key, granting unauthorized access to the Treasury's Office of Foreign Assets Control (OFAC) and the Office of Financial Research. CISA has confirmed, "At this time, there is no indication that any other federal agencies have been impacted by this incident."

The Treasury Department disclosed that BeyondTrust alerted them to the breach on December 8, 2024. According to The Hacker News, the Treasury explained in a letter to the Senate Committee on Banking, Housing, and Urban Affairs, "On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users." The letter further detailed that the stolen key allowed attackers "to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." The agency promptly took the compromised systems offline to mitigate further risks. The Treasury described the breach as a "major cybersecurity incident," underscoring its serious implications for national security.

Sources indicate that the attackers' focus on OFAC aligns with Beijing’s strategic interests, particularly in gathering intelligence on potential U.S. sanctions against Chinese individuals and entities. Reports also suggest that the office of Treasury Secretary Janet Yellen was among the targeted departments. Meanwhile, Chinese adversary groups such as Salt Typhoon continue to threaten critical infrastructure, including U.S. telecommunications and foreign carriers, heightening concerns about the security of sensitive communications data. Further updates are anticipated as investigations progress and mitigation efforts continue.