US Treasury hack highlights threat of Chinese supply chain espionage
Event:
The US Department of the Treasury has experienced a “major cybersecurity incident”, according to an official statement released on 30 December 2024.
Assessment:
According to the statement, Treasury systems were accessed after a threat actor was able to compromise a cloud-based service provided by one of the department’s suppliers. The threat actor used this access to steal unclassified documents. The full scale of the intrusion is likely as yet unknown.
The statement notes that the incident has been attributed to a “China state-sponsored Advanced Persistent Threat (APT) actor”. The US has previously attributed espionage campaigns enabled by supply chain compromise to China, most notably with the SolarWinds campaign [LINK]. Attribution has historically been a politically and diplomatically sensitive process, but the casual attribution to China in this instance suggests that this is changing. This shift reflects a growing awareness in the US public discourse over the scale and breadth of Chinese state and state-sponsored hacking activity [LINK].
The third-party software provider, BeyondTrust, made a public statement about a security investigation involving its Remote Support SaaS on 8 December 2024 [LINK]. The vulnerability that enabled the threat actor to gain access was identified by the US Cybersecurity and Infrastructure Agency (CISA) on 19 December 2024 [LINK]. We assess with a high degree of confidence that other organisations will have been compromised using the same vector.
Outlook:
Over the next month, there is highly likely to be an acceleration of cyber operations by Chinese state and state-sponsored threat actors seeking to maximise exploitation of this vulnerability before remediation efforts close this window. Counterintuitively, increased public awareness of this activity reduces the incentives for restraint on the part of Chinese state and state-sponsored threat actors, who will be emboldened by the lack of a visible political response from the US. Accordingly, we expect further examples of cyber espionage enabled by this vulnerability to emerge in the coming month.
An alternative scenario is that Chinese cyber exploitation becomes a high priority issue for the incoming administration of Donald Trump. In this scenario, Trump would threaten political and economic retaliation against China if further hacks emerge, prompting a period of restraint by Chinese state threat actors (but potentially not among private sector contractors). However, we assess this scenario to be unlikely given public ambivalence over this issue and the competing policy priorities of the incoming administration.
