CISA: Investigation Continues, No Broader Federal Impact from Treasury Cyberattack

There are no signs that the cyberattack that targeted the Treasury Department affected other government agencies, according to a statement released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday. To better comprehend the breach and lessen its effects, the agency stated that it is collaborating closely with BeyondTrust and the Treasury Department.

"The security of federal systems and the data they protect is of critical importance to our national security," stated CISA. "We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate." A week ago, the Treasury Department claimed that it had been the victim of a "major cybersecurity incident" that gave Chinese state-sponsored threat actors remote access to certain systems and unclassified information. This latest announcement follows that claim.

The cyberattack, which was discovered in early December 2024, involved a breach in BeyondTrust's systems that gave the adversary access to a compromised Remote Support SaaS API key, which allowed them to penetrate some of the company's Remote Support SaaS instances. On January 6, 2025, BeyondTrust issued an updated statement stating that "no new customers have been identified beyond those we have communicated with previously." China has refuted claims that it violated the Treasury Department's regulations.

Up to 13,548 vulnerable BeyondTrust Remote Support and Privileged Remote Access instances have been seen online as of January 6, according to data released by attack surface management firm Censys. 

A Chinese cybersecurity company, Integrity Technology Group, Incorporated, was sanctioned last week by the Treasury Department's Office of Foreign Assets Control (OFAC) for allegedly providing infrastructure support to another hacker group, Flax Typhoon, as part of an ongoing campaign against critical infrastructure in the United States.

The attack on the Treasury is the most recent in a series of attacks by Chinese threat actors that have targeted U.S. telecommunications networks and vital infrastructure with Salt Typhoon and Volt Typhoon, respectively. According to the Wall Street Journal, Charter Communications, Consolidated Communications, and Windstream are among the nine telecom firms that were compromised by Salt Typhoon. Previously, AT&T, T-Mobile, Verizon, and Lumen Technologies were among the other businesses that were identified.

As part of a multi-year campaign from early 2023 to June 2024, the Chinese state-sponsored threat group known as APT41 broke into the executive branch of the Philippine government and stole confidential information about South China Sea issues, according to a new report released today by Bloomberg.

China Increases Cyberattacks Against Taiwan

Additionally, the events come after Taiwan's National Security Bureau (NSB) released a report alerting the public to the growing complexity of cyberattacks China is coordinating against Taiwan. In 2024, there were 906 recorded instances of cyber incidents against both public and private sector organizations, compared to 752 in 2023.

Usually, the strategy involves taking advantage of weaknesses in Netcom equipment and applying living-off-the-land (LotL) strategies to get access, avoid detection, and carry out viruses to steal data and launch follow-on attacks. Spear-phishing emails are sent to Taiwanese civil personnel as part of alternative attack chains.

Here are a few more often reported Chinese strikes on Taiwanese targets:

Attacks using distributed denial-of-service (DDoS) directed at the financial and transportation industries that coincided with PLA military exercises

Manufacturing sector ransomware attacks

Theft of patented technologies by targeting high-tech startups

personal information stolen from Taiwanese citizens and sold on underground platforms for cybercrime.

Social media users criticize Taiwan's cybersecurity skills to undermine public trust in the administration.

"Attacking the communications field, mainly the telecommunications industry, has grown by 650%, and attacking the fields of transportation and defense supply chain have grown by 70% and 57%, respectively," stated the NSB. "By applying diverse hacking techniques, China has conducted reconnaissance, set cyber ambushes, and stolen data through hacking operations targeting Taiwan's government, critical infrastructure, and key private enterprises."

Through influence operations against Taiwan and disinformation campaigns aimed at eroding public trust in the government and escalating social tensions on social media sites like Facebook and X, the NSB has also criticized China. The widespread use of fake accounts to flood comment sections on Taiwanese-user-friendly social media platforms with modified movies and meme images is one of the most notable strategies. To disseminate misinformation, malicious cyber activity has also been observed to take over Taiwanese users' social media accounts.

"China has been using Deepfake technology to fabricate video clips of Taiwanese political figures' speeches, attempting to mislead the Taiwanese public's perception and understanding," said the NSB. "In particular, China actively establishes convergence media brands or proxy accounts on platforms such as Weibo, TikTok, and Instagram, working to spread official media content and Taiwan-focused propaganda."