The breach of the US Department of the Treasury, initially confirmed in December 2024, has been revealed to include the computers of top Treasury officials, including Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Under Secretary Brad Smith. Bloomberg, citing undisclosed sources with knowledge of the matter, reported that the attackers accessed unclassified files and employee credentials.
The intrusion, which Treasury officials classified as a “major incident,” involved access to fewer than 50 files on Yellen’s computer. However, the breach extended further, impacting over 400 employee laptops and desktops, with hackers obtaining more than 3,000 unclassified files, usernames, and passwords.
The attackers reportedly focused on data connected to the Treasury’s roles in sanctions enforcement, intelligence, and international affairs. Sensitive files linked to law enforcement investigations and the Committee on Foreign Investment in the US (CFIUS), which assesses national security risks from foreign investments, were among the materials accessed. Investigators emphasised that the department’s classified systems and email accounts remained secure.
The Treasury Department conducted briefings with lawmakers and congressional aides last month, coinciding with a Senate Finance Committee hearing for Scott Bessent, the nominee for Treasury Secretary. These sessions highlighted the seriousness of the breach, which has been attributed to a Chinese state-sponsored hacking group identified as Silk Typhoon or UNC5221 by cybersecurity professionals.
BeyondTrust and vulnerabilities
According to investigators, the group specifically targeted document collection and operated outside of standard working hours to evade detection. The breach originated last year when hackers exploited a vulnerability in BeyondTrust, a third-party vendor providing remote support services to the Treasury Department. BeyondTrust detected the issue on 5 December, identifying the compromise of an API key associated with its Remote Support Software-as-a-Service (SaaS) platform. Upon discovery, BeyondTrust revoked the API key, suspended affected instances, and notified impacted customers. It also provided alternative SaaS instances to ensure continuity of operations.
Further investigation led to the identification of a critical vulnerability, labelled BT24-10, in BeyondTrust’s Remote Support and Privileged Remote Access products. By mid-December, patches were issued for both cloud and self-hosted versions of these products. BeyondTrust confirmed that all known vulnerabilities were addressed and stated that no additional customers had been impacted.
Federal agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), are assisting the Treasury in assessing the scale and impact of the breach. BeyondTrust continues to collaborate with forensic investigators to ensure no remaining vulnerabilities are exploited.
This breach follows a series of cyberattacks attributed to Chinese actors, including incidents in 2023 targeting Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns. China has denied any involvement, dismissing allegations as baseless.
Read more: US sanctions China’s Integrity Tech over cyber espionage campaigns
