The US Treasury Department announced in a December letter that it had been the victim of a security breach, attributing it to a “state-sponsored advanced persistent threat actor from China.” Now we know more about the scope of the hack, thanks to the report Bloomberg.
The hacking group accessed more than 400 laptops and desktop computers, many of which were linked to senior leaders focused on “sanctions, international affairs and intelligence.” They also accessed employee usernames and passwords, as well as more than 3,000 files on unclassified personal computers. These documents included travel data, organizational charts, sanctions materials, and foreign investment metrics.
An agency report indicates that the perpetrators likely stole a large amount of this data, but were unable to get into Treasury's email or classified systems. Later reports, also from Bloombergindicates that around 50 classified files were stolen from Treasury Secretary Janet Yellen's computer. The hackers also accessed materials related to investigations conducted by the Foreign Investment Committee. This committee reviews security implications surrounding real estate purchases and foreign investments in the U.S.
The agency's report also notes that there was no evidence to suggest that the hackers attempted to hide in Treasury systems for the purpose of long-term intelligence gathering, and they did not leave behind any malware.
Researchers have attributed the intrusion to a notorious Chinese state-sponsored hacking group called Silk Typhoon, Halfnium, or UNC5221. It has been suggested that they carried out the hack outside normal working hours to avoid detection. Last month, a Chinese Foreign Ministry spokesperson called the allegation that the attack was state-sponsored. “unjustified and unfounded.”
Counterintelligence officials are still in the midst of a “comprehensive damage assessment,” but Treasury employees will report on the matter to the Senate Banking, Housing and Urban Affairs Committee this week.
Update, January 17, 2025, 10:47 am ET: This story has been updated to include additional reporting.
