Treasury hackers also breached US foreign investments review office
Silk Typhoon Chinese state-backed hackers have reportedly breached a Treasury Department office that reviews foreign investments for national security risks.
CNN reported on Friday, citing U.S. officials familiar with the matter, that the attackers gained access to the Committee on Foreign Investment in the United States (CFIUS) systems.
The CFIUS is a government office and interagency committee authorized to review foreign investment and real estate transactions to determine their effect on U.S. national security.
The same attackers also breached the Office of Foreign Assets Control (OFAC), another Treasury Department office that administers trade and economic sanctions programs, using a stolen BeyondTrust Remote Support SaaS API key to breach the department's network.
Since then, U.S. officials revealed that the threat actors specifically targeted OFAC—which administers and enforces trade and economic sanctions programs—and likely aimed to collect intelligence on Chinese individuals and organizations the U.S. might consider sanctioning.
On Monday, CISA said the Treasury Department breach did not impact other federal agencies, followed by a Wednesday Bloomberg report attributing the attack to the Silk Typhoon hacking group.
The report confirmed the intelligence theft hypothesis and said that, according to people familiar with the incident, the group is believed to have used the stolen BeyondTrust digital key "to access unclassified information relating to potential sanctions actions and other documents."
Silk Typhoon (Hafnium) also hacked the Treasury's Office of Financial Research. However, the impact of this incident is still being assessed, and investigators have yet to find evidence that the Chinese hackers maintained access to the Treasury systems after the breached BeyondTrust instance was shut down.
This Chinese nation-state hacking group is known for attacking a wide range of organizations in the United States, Australia, Japan, and Vietnam, ranging from defense contractors, policy think tanks, and non-governmental organizations (NGOs) to healthcare, law firms, and higher education entities.
The state-backed hacking group's cyberespionage campaigns mainly focus on reconnaissance and data theft, using zero-day software vulnerabilities and hacking tools like the China Chopper web shell.
Silk Typhoon became widely known in early 2021 after exploiting the ProxyLogon zero-day flaws impacting Microsoft Exchange Server, compromising an estimated 68,500 servers before security patches were released.
Proton worldwide outage caused by Kubernetes migration, software change
US charges operators of cryptomixers linked to ransomware gangs
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Medium.env Information Leak
InformationalCookie Poisoning
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
InformationalInformation Disclosure - Sensitive Information in URL
InformationalBase64 Disclosure
InformationalRetrieved from Cache
MediumParameter Tampering
Free online web security scanner
