{
	"id": "83951ccf-332f-4cbe-a98e-1e0fe9aa4399",
	"created_at": "2026-04-06T00:15:31.339618Z",
	"updated_at": "2026-04-10T03:35:48.3601Z",
	"deleted_at": null,
	"sha1_hash": "74daf0def052de0df4d05e5d0dee861d78c35826",
	"title": "US Treasury hack linked to Silk Typhoon Chinese state hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1853987,
	"plain_text": "US Treasury hack linked to Silk Typhoon Chinese state hackers\r\nBy Sergiu Gatlan\r\nPublished: 2025-01-09 · Archived: 2026-04-05 19:09:50 UTC\r\nChinese state-backed hackers, tracked as Silk Typhoon, have been linked to the U.S. Office of Foreign Assets Control\r\n(OFAC) hack in early December.\r\nLast month, BleepingComputer reported that the Treasury disclosed a significant cybersecurity incident. The attackers used\r\na stolen Remote Support SaaS API key to compromise a BeyondTrust instance used by the Treasury, allowing them to\r\nbreach the department's network.\r\nThe threat actors also hacked the Treasury's Office of Financial Research, but the impact of this breach is still being\r\nassessed. However, there was no evidence that the Chinese hackers maintained access to the Treasury systems after the\r\ncompromised BeyondTrust instance was shut down. CISA also said on Monday that the Treasury Department breach did not\r\nimpact other federal agencies.\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIn a letter sent to Congress last week, the Treasury said its remote support provider, BeyondTrust, first notified it of the\r\nsecurity breach on December 8th. Since then, U.S. officials revealed that the hackers specifically targeted OFAC—which\r\nadministers and enforces trade and economic sanctions programs—and were likely aiming to collect intelligence on what\r\nChinese individuals and organizations the U.S. might consider sanctioning.\r\nOn Wednesday, a Bloomberg report confirmed this hypothesis and attributed the attack to the Silk Typhoon hacking group.\r\nAccording to two people familiar with the matter, the group is \"believed to have stolen a digital key from BeyondTrust Inc.,\r\na third-party service provider, and used it to access unclassified information relating to potential sanctions actions and other\r\ndocuments.\"\r\nSilk Typhoon (also known as Hafnium) is a Chinese nation-state hacking group known for attacking a wide range of targets\r\nin the United States, Australia, Japan, and Vietnam, including defense contractors, policy think tanks, and non-governmental\r\norganizations (NGOs) as well as healthcare, law firms, and higher education organizations.\r\nThis Advanced Persistent Threat (APT) group's cyberespionage campaigns mainly focus on data theft and reconnaissance,\r\nusing zero-day vulnerabilities and tools like the China Chopper web shell.\r\nHafnium became more widely known in 2021 after exploiting Microsoft Exchange Server zero-day flaws (collectively\r\nknown as ProxyLogon), compromising an estimated 68,500 Exchange servers by the time security patches were released.\r\nAccording to the same Bloomberg report, the Biden administration is also developing an executive order to strengthen the\r\nU.S. government's cybersecurity defenses.\r\nThe order would require implementing \"strong identity authentication and encryption\" and developing new guidelines for\r\ncloud service providers. These guidelines would mandate using multifactor authentication, complex passwords, and storing\r\ncryptographic keys using hardware security keys.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/\r\nPage 3 of 4\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers/"
	],
	"report_names": [
		"us-treasury-hack-linked-to-silk-typhoon-chinese-state-hackers"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74daf0def052de0df4d05e5d0dee861d78c35826.pdf",
		"text": "https://archive.orkl.eu/74daf0def052de0df4d05e5d0dee861d78c35826.txt",
		"img": "https://archive.orkl.eu/74daf0def052de0df4d05e5d0dee861d78c35826.jpg"
	}
}