Chinese cyberspies targeted several offices, including ones dealing with foreign investments and sanctions, in the recent cyberattack aimed at the US Treasury Department, according to news reports.

Little technical information has been made public regarding the Treasury hack while authorities are investigating the full extent of the breach. 

It was revealed in late December 2024 that hackers believed to be operating on behalf of the Chinese government accessed US Treasury systems in what was described as a major cybersecurity incident. 

It’s unclear how many systems and what types of documents were compromised, but the US government said the attackers managed to gain access to unclassified information after accessing Treasury workstations.

Initial access was apparently gained by the hackers using a compromised API key for a remote management service from BeyondTrust, which confirmed that a key for a remote support product had been compromised and that a limited number of customers were impacted.

BeyondTrust also revealed that a critical zero-day vulnerability tracked as CVE-2024-12356 was discovered during its investigation into the attack. While the identity and access security firm has not specifically said it, it appears that the flaw has been exploited in the Treasury attack. 

CNN learned from three unnamed US officials who are familiar with the matter that in the case of the Treasury hack, the attackers breached systems associated with the Committee on Foreign Investment in the US (CFIUS), which reviews foreign investments for national security risks.

Separately, the Washington Post reported (paywalled article) that the Chinese hackers also targeted the Treasury’s Office of Foreign Assets Control (OFAC), which is responsible for sanctions, as well as the Office of the Treasury Secretary and the Office of Financial Research. 

Two officials confirmed to CNN that the Chinese threat actors targeted the Treasury’s sanctions office. According to CNN, officials are concerned that China may be able to piece together the compromised unclassified information to gain useful intelligence. 

The revelations come just days after the Treasury announced sanctions against a Beijing-based cybersecurity company for its alleged role in hacking incidents targeting critical US infrastructure — specifically attacks linked to a threat actor named Flax Typhoon. China denied the accusations and protested the sanctions. 

The US cybersecurity agency CISA said last week that there was no evidence that federal agencies other than the Treasury Department were impacted by the BeyondTrust incident. 

Bloomberg reported last week that the attack on the Treasury Department has been linked to a Chinese group tracked as Silk Typhoon, which is also known as Hafnium. 

China is believed to be behind a recent campaign targeting at least nine US telecom firms in an effort to gain access to the communications of Americans, particularly government officials and prominent political figures.

Related: Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies

Related: Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data