Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid

Chinese spies who compromised the US Treasury Department's workstations reportedly stole data belonging to a government office responsible for sanctions against organizations and individuals.

On Monday, the Treasury sent a letter to Congress disclosing the cyberattack. Days later, we learned Beijing's snoops specifically targeted the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary, according to a Washington Post report.

The security breach indicates the measures China is taking to gather intelligence on America and Uncle Sam in general, and particularly those related to Chinese entities that may soon face sanctions, the WaPo noted, citing anonymous US officials.

The December 30 letter that the Treasury's Assistant Secretary for Management Aditi Hardikar sent to US lawmakers blamed the intrusion on an earlier BeyondTrust security incident in which miscreants snatched an API key for the software maker's Remote Support SaaS product. This allowed the key's thieves to remotely access some Treasury office workstations and "certain, unclassified documents" maintained by those users.

Instances of BeyondTrust services that were compromised by the snoops were taken offline and at this time, "there is no evidence indicating the threat actor has continued access to Treasury information," the letter continued.

Neither the US Treasury nor China's Ministry of Foreign Affairs responded to The Register's inquiries about the security breach.

A BeyondTrust spokesperson directed customers to a now-updated advisory about the snafu, and told The Register it took steps to shore up its security. "All cloud instances have been patched for this vulnerability," the biz noted. "We have also released a patch for self-hosted versions."

"BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then," the spokesperson told us. "No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts." 

• US Treasury Department outs the blast radius of BeyondTrust's key leak
• China's cyber intrusions took a sinister turn in 2024
• More telcos confirm Salt Typhoon breaches as White House weighs in
• US reportedly mulls TP-Link router ban over national security risk

The Treasury letter also attributes the security breach to a "China state-sponsored Advanced Persistent Threat (APT) actor," which is noteworthy because US officials don't often play the blame game with other governments' cyber-espionage crews this early in the investigation.

"It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions," SafeBreach Chief Information Security Officer Avishai Avivi said in an email to The Register. 

"Looking through the technical details provided by BeyondTrust, we can see that the vulnerability was associated with four IP addresses," Avivi continued.

"These addresses belong to DigitalOcean, a New Jersey Cloud Service Provider (CSP). This information indicates to me that the malicious actors used this cloud provider as a jumping-off point to infiltrate the BeyondTrust service and exploit the trusted connection to the US Treasury. The clear attribution suggests that the investigation was able to link these four addresses to accounts originating in China."

This latest Chinese intrusion into US networks comes as government officials and law enforcement continue to investigate another Beijing-backed snooping effort that compromised at least nine American telecommunications companies, giving them the "capability to geolocate millions of individuals" and "record phone calls at will."

This attack, which has been attributed to Salt Typhoon, has been called the "worst telecom hack" in US history, and was among the escalating cyber incidents the Feds blamed on the Chinese government in 2024. ®