The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that the cyberattack on the Treasury Department does not appear to have affected other federal agencies.
CISA is collaborating closely with the Treasury and BeyondTrust to gain a clearer picture of the breach and its ramifications. “Protecting federal systems and the data they safeguard is vital for national security,” stated CISA. They emphasized that they are taking thorough measures to prevent any additional issues and will share updates as necessary.
This update follows a disclosure from the Treasury Department regarding a “major cybersecurity incident” which allowed Chinese state-backed threat actors to gain remote access to certain computers and unclassified documentation.
Emerging in early December 2024, this cyber breach involved BeyondTrust’s systems, facilitating access through a compromised Remote Support SaaS API key. On January 6, 2025, BeyondTrust confirmed that “no additional customers beyond those already communicated with have been identified.” China has refuted claims of its involvement in breaching the U.S. Treasury.
According to data shared by attack surface management firm Censys, as many as 13,548 exposed BeyondTrust Remote Support and Privileged Remote Access instances were found online as of January 6. Last week, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on a Chinese cybersecurity firm, Integrity Technology Group, for allegedly aiding another hacking group, Flax Typhoon, in targeting U.S. critical infrastructure.
In response to the sanctions, a spokesperson for China’s Foreign Ministry reiterated the nation’s opposition to hacking and condemned the U.S. for using cybersecurity issues to discredit China. Integrity Technology Group has publicly rejected the accusations related to the sanctions, claiming a lack of factual basis.
The cyberattack on the Treasury Department is part of a broader series of intrusions conducted by Chinese threat groups like Volt Typhoon and Salt Typhoon, aimed at U.S. critical infrastructure and telecommunications networks. Recent reports revealed that among the telecom companies breached by Salt Typhoon were Charter Communications, Consolidated Communications, and Windstream, along with major players like AT&T and Verizon.
This worrying trend extends to Taiwan, where the National Security Bureau (NSB) has reported a rise in sophisticated cyberattacks by China, with 906 incidents documented in 2024 compared to 752 in 2023. These attacks often exploit Netcom device vulnerabilities and employ spear-phishing tactics targeting civil servants.
The NSB specifically highlighted that attacks on the telecommunications sector surged by 650%, while those on transportation and defense supply chains increased by 70% and 57%, respectively. The agency has emphasized China’s extensive use of diverse hacking techniques to infiltrate government and critical infrastructure, alongside influence operations on social media platforms to undermine public trust in Taiwan’s government.
