Chinese hackers reportedly targeted sanctions information in the US Treasury breach

According to new findings, the Chinese hackers who compromised the US Treasury Department targeted the Office of Foreign Assets Control (OFAC)—the office responsible for administering economic and trade sanctions against foreign entities. The cyber spies also accessed the Office of the Treasury Secretary, according to a report by The Washington Post.

These revelations come following a letter from the Treasury to Congress highlighting Beijing's efforts to gather intelligence on US sanctions policy, particularly those affecting Chinese entities.

Exfiltration method

The breach, which occurred in December 2024, exploited a vulnerability in the BeyondTrust Remote Support SaaS platform. It allowed the attackers to steal an API key and remotely access certain Treasury office workstations. The hackers then proceeded to exfiltrate various unclassified documents stored on those systems.

The letter noted that BeyondTrust's compromised services have been taken offline and assured lawmakers that there is no evidence of continued unauthorized access.

Beyond Trust response

On its end, BeyondTrust has assured the public that "all cloud instances have been patched for this vulnerability," and a patch for self-hosted versions has been released.

"BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then," a company spokesperson was quoted as saying. "No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts."

Chinese government responsible for attacks

The Treasury Department attributed the breach to a "China state-sponsored Advanced Persistent Threat (APT) actor," a rare early attribution in such cyberattacks. "It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions," SafeBreach Chief Information Security Officer Avishai Avivi told a popular publication.

However, he added that the investigators had already identified the IP addresses used by the attackers. Therefore, if the Treasury says it’s a state-sponsored attack it means they’ve traced back the addresses to China.

A broader pattern of Chinese espionage

This Treasury breach is part of a growing list of Chinese-linked espionage cases. The cyberworld hasn’t even recovered from the December 2024 Salt Typhoon breach affecting all the major telecommunication companies in the US. It’s been described as the “worst telecom hack” in US history.