{ "id": "5cc7ecef-a8e6-4a55-b00b-bf388fcf28bc", "created_at": "2026-04-06T00:14:00.228759Z", "updated_at": "2026-04-10T03:35:48.577527Z", "deleted_at": null, "sha1_hash": "397e91c54aa0107a244d42b78d6f4094879bbbe2", "title": "Treasury hackers also breached US foreign investments review office", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3141463, "plain_text": "Treasury hackers also breached US foreign investments review office\r\nBy Sergiu Gatlan\r\nPublished: 2025-01-10 · Archived: 2026-04-05 20:01:11 UTC\r\nSilk Typhoon Chinese state-backed hackers have reportedly breached a Treasury Department office that reviews foreign\r\ninvestments for national security risks.\r\nCNN reported on Friday, citing U.S. officials familiar with the matter, that the attackers gained access to the Committee on\r\nForeign Investment in the United States (CFIUS) systems.\r\nThe CFIUS is a government office and interagency committee authorized to review foreign investment and real estate\r\ntransactions to determine their effect on U.S. national security.\r\nhttps://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe same attackers also breached the Office of Foreign Assets Control (OFAC), another Treasury Department office that\r\nadministers trade and economic sanctions programs, using a stolen BeyondTrust Remote Support SaaS API key to breach\r\nthe department's network.\r\nSince then, U.S. officials revealed that the threat actors specifically targeted OFAC—which administers and enforces trade\r\nand economic sanctions programs—and likely aimed to collect intelligence on Chinese individuals and organizations the\r\nU.S. might consider sanctioning.\r\nOn Monday, CISA said the Treasury Department breach did not impact other federal agencies, followed by a Wednesday\r\nBloomberg report attributing the attack to the Silk Typhoon hacking group.\r\nThe report confirmed the intelligence theft hypothesis and said that, according to people familiar with the incident, the group\r\nis believed to have used the stolen BeyondTrust digital key \"to access unclassified information relating to potential sanctions\r\nactions and other documents.\"\r\nSilk Typhoon (Hafnium) also hacked the Treasury's Office of Financial Research. However, the impact of this incident is\r\nstill being assessed, and investigators have yet to find evidence that the Chinese hackers maintained access to the Treasury\r\nsystems after the breached BeyondTrust instance was shut down.\r\nThis Chinese nation-state hacking group is known for attacking a wide range of organizations in the United States, Australia,\r\nJapan, and Vietnam, ranging from defense contractors, policy think tanks, and non-governmental organizations (NGOs) to\r\nhealthcare, law firms, and higher education entities.\r\nThe state-backed hacking group's cyberespionage campaigns mainly focus on reconnaissance and data theft, using zero-day\r\nsoftware vulnerabilities and hacking tools like the China Chopper web shell.\r\nSilk Typhoon became widely known in early 2021 after exploiting the ProxyLogon zero-day flaws impacting Microsoft\r\nExchange Server, compromising an estimated 68,500 servers before security patches were released.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/\r\nPage 3 of 4\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/\r\nhttps://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/" ], "report_names": [ "treasury-hackers-also-breached-us-foreign-investments-review-office" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434440, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/397e91c54aa0107a244d42b78d6f4094879bbbe2.pdf", "text": "https://archive.orkl.eu/397e91c54aa0107a244d42b78d6f4094879bbbe2.txt", "img": "https://archive.orkl.eu/397e91c54aa0107a244d42b78d6f4094879bbbe2.jpg" } }