U.S. Treasury Hack
By Charles Leigh on February 6, 2025
Executive Summary
In December 2024, there was a significant cybersecurity breach against the U.S. Department of Treasury. The state-sponsored actor is believed to be from China. The hackers gained access to over 3,000 unclassified files and affected 100 Treasury computers which resulted in the compromising of a significant amount of sensitive information. BeyondTrust has hardened their systems and the U.S. government is reassessing the risk of relying on third-party software for critical government operations. Identity & Access Management should be strengthened, securing cryptographic keys and improving network security and monitoring would aid in preventing such breaches in the future.
Background
U.S. The Treasury Department used a third party software company “BeyondTrust” for its authentication processes and to manage its cryptographic keys [4]. The hackers identified a vulnerability within BeyondTrust’s remote support tool. The stolen cryptographic keys allowed the hackers to authenticate into the Treasury’s system. The hackers gained unauthorized remote access to about 100 workstations with over 3,000 unclassified files including files of high ranking officials.
A Shanghai based cyber actor named Yin Kencheng was sanctioned for his involvement with the hack. Yin Kecheng is affiliated with the People’s Republic of China Ministry of State Security (MSS) and has been an active cyber actor for over a decade [3]. There are many State-sponsored Chinese threat actors such as Salt Typhoon, Volt Typhoon, and Flax Typhoon who target critical infrastructure of the United States and other Nation States such as Taiwan. The U.S. has decided to levy sanctions against a couple of Chinese firms, individuals and entities which the U.S. believes played a part in or actively committed the hack [2].
Impact
The hackers gained access to a security (API) key used by BeyondTrust to secure a cloud based service. It is not known exactly how long the hackers had access to the system. There was a 6 day delay from the first sign of entry to the initial notification to the Treasury Department. The hack into the U.S. Treasury had several significant consequences which affected both national security and governmental operations because of the data exposure of unclassified files. The breach also brought to light a weakness in third party security, specifically BeyondTrust [1].
Mitigation
Implementing Zero Trust Architecture offers several key benefits which would enhance security. There are three actions within the (ZTA) that would aid in enhancements which are: Least Privilege Access: users and devices only get the minimum access they need. This would reduce the attack surface. Micro-Segmentation: limits lateral movement of attackers within a network by segmenting access. Continuous Authentication: users and devices are verified in real time which would reduce the number of external and insider threats. These actions would enhance security by reducing unauthorized access risks.
Relevance
It is very important and vital to the security of both the United States and its allies. Threat actors seek to weaken national stability by making strong defenses critical. Strengthening critical infrastructures and systems will ensure resilience against both physical and cyber threats.
References
[1] Lakshmanan, Ravie CISA: No wider federal impact from Treasury cyber attack, investigation ongoing. (2025, January 7). The Hacker News.com. Retrieved January 29, 2025, from
https://thehackernews.com/2025/01/cisa-no-wider-federal-impact-from.html
[2] Reuters. (2025, January 2). Chinese hack of U.S. Treasury breached sanctions office, Washington Post says. CNBC.
[3] U.S. Department of the Treasury. (2024, December 23). Treasury sanctions company associated with Salt Typhoon and hacker associated with Treasury compromise. [Press release]. U.S. Department of the Treasury. https://home.treasury.gov/news/press-releases/jy2792
[4] Muncaster, P. (2025, January 29). US Treasury computers accessed by China in supply chain attack. Infosecurity Magazine.
https://www.infosecurity-magazine.com/news/us-treasury-computers-china-supply/