The US Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that there was no indication that the cyber attack targeting the Treasury Department had affected other federal agencies.
The agency said it is working closely with the Treasury Department and BeyondTrust to better understand and mitigate the breach.
“The security of federal systems and the data they protect is critical to our national security,” CISA said. “We are actively working to guard against any further impacts and will provide updates as needed.”
The latest statement came a week after the Ministry of Finance said it was the victim of a “major cybersecurity incident” that allowed Chinese state threat actors to gain remote access to certain computers and unclassified documents.
The cyberattack, which became known in early December 2024, involved a breach of BeyondTrust’s systems that allowed an adversary to penetrate some instances of the company’s Remote Support SaaS using a compromised Remote Support SaaS API key.
In the updated statement dated January 6, 2025. BeyondTrust said “no new customers other than those we’ve talked to before have been identified.” China has denied allegations of violations by the US Treasury Department.
The data was shared by attack surface management company Censys shows that as of January 6, there were 13,548 exposed instances of BeyondTrust Remote Support and Privileged Remote Access on the network.
Last week, the Office of Foreign Assets Control (OFAC) of the Treasury Department announced sanctions against Chinese cybersecurity company Integrity Technology Group, Incorporated, accusing it of providing infrastructure support to another hacking group called Linen typhoon as part of a long-running campaign against critical US infrastructure.
The attack on the Treasury Department is the latest in a wave of intrusions by Chinese threat actors such as Volt Typhoon and Salt typhoon targeting US critical infrastructure and telecommunications networks, respectively.
The Wall Street Journal revealed Charter Communications, Consolidated Communications and Windstream were among the nine telecommunications companies disrupted by Salt Typhoon last weekend. Some of the other organizations previously identified included AT&T, T-Mobile, Verizon and Lumen Technologies.
In a new report published today by Bloomberg said A Chinese state-sponsored threat group called APT41 infiltrated the executive branch of the Philippine government and extracted sensitive data related to disputes over the South China Sea as part of a multi-year campaign from early 2023 to June 2024.
China is stepping up cyber attacks on Taiwan
The developments also followed a report by Taiwan’s National Security Bureau (NSB) that warned of the growing sophistication of China-led cyber attacks against the country. In 2024, 906 cases of cyber incidents were reported against public and private organizations, compared to 752 in 2023.
The modus operandi typically involves exploiting vulnerabilities in Netcom devices and using loitering-out-of-bounds (LotL) techniques to establish footholds, evade detection, and deploy malware for subsequent attacks and data theft. Alternative attack chains include sending phishing emails to government officials in Taiwan.
Other widely observed Chinese attacks on Taiwanese targets are listed below –
- Distributed Denial of Service (DDoS) attacks on the transportation and financial sectors coinciding with military exercises by the People’s Liberation Army (PLA)
- Ransomware attacks on the manufacturing sector
- The focus of high-tech startups on stealing patented technologies
- The theft of personal data of Taiwanese citizens to sell it on underground cybercrime forums.
- Criticism of Taiwan’s cybersecurity capabilities on social media platforms undermines trust in the government
“Attacks on communications, mainly the telecommunications industry, increased by 650%, while attacks on transportation and defense of supply increased by 70% and 57%, respectively,” NSB notes. said.
“Using a variety of hacking techniques, China conducted reconnaissance, cyber ambushes and data theft in hacking operations targeting Taiwan’s government, critical infrastructure and key private enterprises.”
The NSB also accused China of conducting influence operations on Taiwan, conducting disinformation campaigns to undermine public trust in the government, and fueling social divisions through social networks such as Facebook and X.
Prominent among these tactics is the widespread use of fake accounts to populate comment sections on social media platforms used by Taiwanese to spread manipulated meme videos and images. It has also been discovered that malicious cyber activities are hijacking Taiwanese users’ social media accounts to spread misinformation.
“China is using deepfake technology to produce videos of speeches by Taiwanese political figures in an attempt to mislead the perception and understanding of the Taiwanese public,” the NSB said. said.
“In particular, China is actively creating converged media brands or proxy accounts on platforms such as Weibo, TikTok and Instagram, working to spread official media content and Taiwan-centric propaganda.”
