US Treasury hack linked to Silk Typhoon Chinese state hackers
Chinese state-backed hackers, tracked as Silk Typhoon, have been linked to the U.S. Office of Foreign Assets Control (OFAC) hack in early December.
Last month, BleepingComputer reported that the Treasury disclosed a significant cybersecurity incident. The attackers used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance used by the Treasury, allowing them to breach the department's network.
The threat actors also hacked the Treasury's Office of Financial Research, but the impact of this breach is still being assessed. However, there was no evidence that the Chinese hackers maintained access to the Treasury systems after the compromised BeyondTrust instance was shut down. CISA also said on Monday that the Treasury Department breach did not impact other federal agencies.
In a letter sent to Congress last week, the Treasury said its remote support provider, BeyondTrust, first notified it of the security breach on December 8th. Since then, U.S. officials revealed that the hackers specifically targeted OFAC—which administers and enforces trade and economic sanctions programs—and were likely aiming to collect intelligence on what Chinese individuals and organizations the U.S. might consider sanctioning.
On Wednesday, a Bloomberg report confirmed this hypothesis and attributed the attack to the Silk Typhoon hacking group. According to two people familiar with the matter, the group is "believed to have stolen a digital key from BeyondTrust Inc., a third-party service provider, and used it to access unclassified information relating to potential sanctions actions and other documents."
Silk Typhoon (also known as Hafnium) is a Chinese nation-state hacking group known for attacking a wide range of targets in the United States, Australia, Japan, and Vietnam, including defense contractors, policy think tanks, and non-governmental organizations (NGOs) as well as healthcare, law firms, and higher education organizations.
This Advanced Persistent Threat (APT) group's cyberespionage campaigns mainly focus on data theft and reconnaissance, using zero-day vulnerabilities and tools like the China Chopper web shell.
Hafnium became more widely known in 2021 after exploiting Microsoft Exchange Server zero-day flaws (collectively known as ProxyLogon), compromising an estimated 68,500 Exchange servers by the time security patches were released.
According to the same Bloomberg report, the Biden administration is also developing an executive order to strengthen the U.S. government's cybersecurity defenses.
The order would require implementing "strong identity authentication and encryption" and developing new guidelines for cloud service providers. These guidelines would mandate using multifactor authentication, complex passwords, and storing cryptographic keys using hardware security keys.
Criminal IP: Bringing Real-Time Phishing Detection to Microsoft Outlook
Google: Chinese hackers likely behind Ivanti VPN zero-day attacks
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
