US Treasury Attack

Introduction

The United States and China have been adversaries for over 50 years, disagreeing on issues such as economic structure and the sovereignty of Taiwan. With the advancement of technology, these relations have been strained further because of the ability for either party to gain even more access to the other’s information than ever before. International cyber security has become a huge issue in the last 20 years, with programs such as Stuxnet changing how we think of critical infrastructure security. With cybersecurity attacks having the ability to shut down pipelines and power grids, it is extremely important that international cybersecurity relations are kept in check. 

In December 2024, Chinese state-sponsored hackers infiltrated the third-party company of BeyondTrust, which has access to US Treasury workspaces and documents. The US Treasury and other organizations immediately took BeyondTrust offline and launched an investigation. Most of the contents or details of the files that were accessed were not released to the public, however it was noted that the documents were not classified and some had data from the Committee on Foreign Investment. 

Background

Leading up to the breach on the US Treasury, the United States had just gone through the presidential electoral process, something that China has been accused of tampering with in the past. With this as a distraction, it is not too far of a stretch to believe that something slipped through the cracks and allowed these hackers to get in. When the breach was finally discovered in December 2024 by BeyondTrust, they were immediately taken offline and investigated to see the scope of the damage. BeyondTrust and the US government worked in conjunction with each other to find the source of the damage, leading them to the conclusion that Chinese hackers had infiltrated their system. 

Methods

The hackers were able to gain unauthorized access to the treasury systems by using a third party software called BeyondTrust, which had connections to the US Treasury’s systems. These hackers managed to steal a key that was used to secure cloud servers used for remote tech support. Using this key, they were able to spy on and obtain documents from employee’s computers. The software and methods used to obtain this API key was through command injection  (called CVE-2024-12356 and CVE-2024-12686) because of a vulnerability in the software used at BeyondTrust for their remote access tech support servers. They were subsequently able to bypass authentication and inject the malicious commands. 

Impact

The impact of the breach was not immediately known, with digital forensic experts having to come in to investigate how many computers and employees were affected, and if any specific officials were targeted in the attack. The investigation found that there were a few government officials who were targeted, namely, US Treasury Secretary Janet Yellen, deputy secretary Wally Adeyemo and acting under-secretary Brad Smith. Fewer than 50 files on Dr. Yellen’s computer were accessed, however the contents of those files is not known to the public. There were over 400 desktop and laptop computers infiltrated, with over 3,000 files accessed. These files were all unclassified, with documents such as data and material created by the Committee on Foreign Investment in the US being a part of the leak. 

Response

Immediately after being notified of the attack by BeyondTrust on December 8, the Treasury enlisted the help of Cybersecurity and Infrastructure Security Agency and the FBI, along with other intelligence agencies. These agencies investigated and concluded that the attack came from China and was likely state sponsored. As a result of this, China was hit with sanctions, with the sanctions targeting the Chinese based company Integrity Technology Group, Inc. from Beijing because of its alleged involvement in a different cybersecurity attack earlier that week. The Chinese government denied all involvement in the attack, with the Chinese embassy spokesman Liu Pengyu saying, “The U.S. needs to stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.” 

Sanctions

The sanctions that were placed on China were due to an attack by Integrity Technology Group, Inc. The attack targeted US communications systems in order to conduct surveillance on official business of the United States. The Treasury department said that Integrity Technology Group, Inc backed and funded a Chinese state-funded hacker group called “Flax Typhoon.” The hacker group had used the infrastructure of the company in their operations and received support from the company. Not only did Flax Typhoon target the Treasury, they also targeted US Citizens in their everyday lives. In September 2024, the FBI reported that it had taken down a network of 200,000 civilian devices that had been infected with malware from Flax Typhoon. The sanctions that were imposed prohibit financial institutions and individuals from doing business with Integrity Technology Group, Inc. and froze all their assets in the United States. This will prevent Integrity Technology Group, Inc. from receiving US investor money. 

Typhoon Hackers 

There are several different groups of hackers who are in groups that all have the word “typhoon” in their name and are all sponsored by China. There is the Salt Typhoon, which is the most well known, which targets governments, telecommunications, and the hospitality industry. This group targets countries in Asia, North America, and Africa. There is also the Volt Typhoon, which targeted utility systems in Massachusetts. They were able to stay in the system for one and a half years before being discovered. 

Flax Typhoon

Flax Typhoon is a group from China that has been active since 2021. They are sponsored by the Chinese government and have the primary goal of hacking into and spying on government systems all over the world, especially Taiwan. These hackers used tech support from Integrity Technology Group Inc. mainly between summer 2022 and fall 2023. Records show that they sent communications between each other during the exploitation process. During this time period, Flax Typhoon used virtual private networks and remote desktop software to access various United States and European systems. In summer 2023, Flax Typhoon also compromised workspaces located in California. 

Prevention

This breach should be a wake up call for the government on how they choose which third party companies to work with. All it takes is one person to press on a phishing link and input their credentials to compromise the whole system. This is why a security practice called “the principle of least privilege” is extremely important. This principle says that employees of a company should only have access to the things they need to do their job. A low-level employee should not be able to access the executive’s records or their boss’ files. This is how hackers are able to move through networks and gain access to records they shouldn’t be able to access extremely quickly.  Attacks by foreign governments are nothing new and have been going on for as long as governments have existed. With technology and the internet now a part of everyday life, it is extremely important that everyone who is in a position of power at a company knows what to look for in a fake email or text message. In my opinion, human error is 90% of the problem, while 10% is genuine lack of infrastructure. It is human nature to make things as easy as possible for ourselves, like not changing the default password to the baby monitor you use for your kids. However, that is one of the many things that bad actors look for when targeting a device. Changing default passwords can be a minor inconvenience, but can save you from having a major issue later down the road. Nobody wants footage of their kid on the internet for creeps and predators to see. In the enterprise sense, systemic actions and plans when prevention methods fail must be in place. Otherwise, a disaster hits, and you are not able to recover. Regular audits and yearly reviews of plans to update them if needed is essential for staying up to date. There also should be redundancy, such as backup servers that store information in case it is not available because of hackers. This saves the business reputation and monetary cost from their systems being down. 

Conclusion

In conclusion, the attack on the US Treasury was a sign from China that we are still in a cyber war with them and always will be. The files they accessed were not classified and did not seem to be as important as they could have been, but that does not mean the Treasury met the expectations they should have regarding cybersecurity. It is lucky that this wasn’t more of a disaster and that the breach was caught before more information could be stolen. More protocols should be put in place to vet and protect American data. The government has the responsibility to protect itself and its citizens from adverse governments. The American and Chinese governments are never expected to get along 100%, and we must structure our systems with the cybersecurity in mind to account for that.