Did Chinese Hackers Breach US Treasury for Sanctions Data?

CISA’s latest update on the US Treasury breach may support claims that China is keen to know what sanctions it may face as the US government grapples with foreign cyber intrusions.

A typical supply chain attack

In December, the US Treasury Department said Chinese hackers breached its IT network to steal “unclassified documents.”

In what is commonly referred to as a “supply chain attack” – where the targeted entity falls victim due to a vulnerability at one of its suppliers – hackers exploited a flaw in one of the Treasury’s service providers, identified as BeyondTrust.

BeyondTrust provides cloud services, Software as a Service (SaaS), and Privileged Access Management (PAM).

The vendor notified the Treasury on Dec. 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” as reported by Reuters.

US sanctions on China

The attackers, it was later revealed, had targeted the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary, with the Washington Post citing unnamed US officials as saying China was basically targeting the ‘tools’ used by the US to achieve national security aims, including economic sanctions against adversaries.

An update issued by The Cybersecurity and Infrastructure Security Agency (CISA) this week lends support to this theory, indicating that the attack squarely targeted the US’s structure responsible for foreign economic affairs.

“CISA is working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident,” the agency said Monday. “At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response […] We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate.”

Current and former officials interviewed by the Washington Post suggested that the Chinese government is poised to learn which Chinese entities the US may be considering designating for financial sanctions.

Systemic cyber intrusions

The US government has recently disclosed multiple intrusions by alleged Chinese hackers, including a broad attack on US telecom operators by a group identified as “Salt Typhoon.”

In November last year, the US imprisoned a Floridian convicted of selling national secrets to China’s intelligence services.

More recently, the US Department of State’s Rewards for Justice (RFJ) announced a $10 million bounty for information pinpointing a Chinese national for his role in the April 2020 compromise of tens of thousands of firewalls worldwide.