A recent breach of the US Treasury yielded access to Secretary Janet Yellen’s computer along with those of two of her lieutenants, according to inside sources speaking to Bloomberg News reporters. Chinese hackers have been blamed, but the breach reportedly yielded access to only a small amount of unclassified files.
Deputy Secretary Wally Adeyemo and Acting Under Secretary Brad Smith also had their computers accessed during the breach. Though there is not yet any indication that information of serious concern was stolen, the attack is yet another in a pattern involving Chinese hackers managing to penetrate high-level targets and gain an alarming level of access.
US Treasury breach attributed to Silk Typhoon team of Chinese hackers
The US Treasury hack was first confirmed on the final day of 2024 in a letter sent to lawmakers that was shared with the media by department officials, and the agency says that it became aware of it on December 8. That breach involved a third-party vendor called BeyondTrust, a cloud security and technical support contractor for the agency. The attack was attributed to state-backed Chinese hackers at the time, specifically a group referred to as Silk Typhoon or UNC5221. The hackers worked outside of normal business hours to help evade detection, but were eventually spotted internally by BeyondTrust who then reported the incident to the Treasury.
The new development is the report of Yellen and her lieutenants having their computers compromised, though the sources say that no more than 50 files on Yellen’s computer were accessed. The US Treasury has previously called the breach a “major incident” and has confirmed that the Chinese hackers accessed materials on sanctions, intelligence and international affairs, but also said that they did not penetrate the email system or any classified segments of the network. The hackers compromised 400 desktop and laptop computers in total and had access to some 3,000 files on personal devices, and were able to access some unspecified amount of employee usernames and passwords.
US Treasury staff went to Capitol Hill last week to brief Congress about the incident, but Treasury spokesman Chris Hayden has declined to comment to the media on the story update. The Chinese government, as it always does in these cases, denies that Chinese hackers were responsible.
There are so many “Typhoon” groups causing havoc at high levels that it is becoming difficult to keep track of them all. Salt Typhoon and Volt Typhoon have dominated headlines since 2023 with their assorted campaigns, but Silk Typhoon has been a major threat for some years now. The Chinese hackers have been named as responsible for the 2021 Microsoft Exchange Server breach, as well as a broad attack on telecom companies from late 2021 to early 2022 that made use of the group’s custom Tarrask malware.
Trump administration to inherit unresolved China cybersecurity situation
The transition between presidential administrations will take place with the Chinese hackers still in active operation, and with the damage they have done still being catalogued. The Salt Typhoon campaign looks to have begun in early-mid 2023 and breaches of ISPs are continuing to be revealed. The US Treasury attack appears to be less damaging than some, but is indicative of the seeming inability to keep high-level state-sponsored threats out of the national government and critical infrastructure.
It is unclear what effect the Trump administration will end up having. Activity by Chinese hackers ramped up severely during the Biden administration, particularly in its second half, but that appears to have coincided with a serious increase in tensions over Taiwan and the possibility of military escalation by China. Trump has generally appeared less interested in defending the nation than the Biden administration and even many establishment Republicans, intimating that Taiwan will need to up its spending on US military systems if it wants continued assistance. However, he has also called for tariffs at a minimum of 60% for all goods brought in from China. Trump has told advisors that he wants to travel to China to meet with President Xi Jinping before his first 100 days in office are up.
The US Treasury was included in the sweeping 2020 breach of the federal government via SolarWinds, VMware and Microsoft exploits. That incident was traced to Russian state-backed teams, though Chinese hackers followed on once some of the exploits were published. The US Treasury was one of the first agencies to be compromised by the SolarWinds Orion updates. It is still unclear (at least to the general public) exactly what was exposed in that breach, but it is thought that government email accounts were compromised and the recovery from it and full recovery from the breach was projected at the time to take as much as a year and a half.