Treasury’s Sanctions Office Hacked by Chinese Government, Officials Say

The Washington Post / Ellen Nakashima, Jeff Stein

13:43 JST, January 2, 2025

Chinese government hackers breached a highly sensitive office in the Treasury Department that administers economic sanctions against countries and groups of individuals – one of the most potent tools possessed by the United States to achieve national security aims, according to U.S. officials.

The targeting of the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary – developments not previously reported – reflects Beijing’s determination to acquire intelligence on its most significant rival in the global competition for power and influence, said the officials, who like others interviewed for this report spoke on the condition of anonymity because of the matter’s sensitivity.

A top area of interest for the Chinese government, current and former officials said, would be Chinese entities that the U.S. government may be considering designating for financial sanctions.

The hack also compromised the Treasury Department’s Office of Financial Research, according to the officials. The full impact of the breach, which was disclosed by Treasury in a letter to Congress on Monday, is still being assessed. The documents accessed were unclassified and there is no evidence the hacker still has access to Treasury systems, the department said.

A spokesman for the Treasury Department declined to comment. The Chinese foreign ministry has called claims of the breach “groundless,” and said that Beijing “has always opposed all forms of hacker attacks.”

The breach was conducted through the hack of a software contractor serving the Treasury Department – part of a troubling trend of government intrusions enabled, officials say, by lax cybersecurity employed by some third-party vendors.

The incident occurred as the U.S. government is grappling with another major cyberespionage campaign attributed to the Chinese government. The breach of nine American telecommunications companies – what one top lawmaker called “the worst telecom hack in our nation’s history” – by a group dubbed Salt Typhoon has alarmed industry and the government, and the Federal Communications Commission is considering a proposal for regulation advanced by Chairwoman Jessica Rosenworcel, which is expected to be voted on this month.

The Biden administration has undertaken a broad effort, using executive authorities, to mandate cybersecurity standards for critical sectors such as pipelines, rail and aviation. The regulations have improved rates of compliance across those industries, U.S. officials said, adding that they believe greater compliance will lead to more resilient networks and infrastructure.

Meanwhile, relations between the United States and China remain tense, as President-elect Donald Trump prepares to reenter the White House threatening even harsher tariffs against Beijing than he imposed in his first term. During his campaign last year, he proposed duties of 60 percent or more on all imports from China, a move that could provoke a globe-rattling trade war.

Even as Trump and Chinese officials have expressed some hope for cooperation, the president-elect has named to his circle of advisers China hawks who have signaled a desire to press Beijing on everything from alleged human rights abuses to deceptive trade practices. A Chinese breach of a critical element of the U.S. national security apparatus could fuel their case, analysts said.

Treasury Assistant Secretary for Management Aditi Hardikar described the latest incident as “major” in her letter to Senate Banking Committee leadership. She said Treasury was alerted to the breach on Dec. 8 by the contractor, BeyondTrust.

BeyondTrust said in a statement to The Post that it has “notified the limited number of customers who were involved” in the breach, and is working to support them. It also said law enforcement was notified and the company is supporting the investigation.

Even unclassified documents can be very useful to a competitor like China, current and former officials said.

A breach of OFAC, in particular, could lead to the disclosure of sensitive information about government sanctions deliberations. Before designating a target, OFAC compiles an “administrative record” that purports to show how the evidence collected meets the statutory or regulatory criteria for designation.

The records can include everything from open-source materials to “law enforcement sensitive” information and classified material provided by U.S. or foreign law enforcement, according to four former government officials. The unclassified materials are frequently stored on the government’s unclassified systems, and these may include emails or communications with other agencies and units within Treasury.

Classified material and law enforcement sensitive information, such as the identities of secret law enforcement sources, are stored separately.

But there is enough in the unclassified record that could enable an adversary to glean useful insights into how the United States is developing sanctions on foreign targets, as well as the identities of potential targets for designation. Indeed, the unclassified information in the administrative record is used to compile the news release that Treasury issues after a designation that names the person or entity being sanctioned and why.

“Gaining access to even unclassified information held by OFAC could provide the Chinese government with valuable intelligence, as such information is used to build a case for sanctioning organizations and individuals,” said David Laufman, who previously oversaw sanctions enforcement in the Justice Department’s National Security Division.

The incident is the latest in a decades-long string of computer intrusions attributed to the Chinese aimed at stealing intelligence from U.S. government and corporate secrets from private-sector systems to help them gain a leg up in the global economic, technological and security competition.

The Chinese hacked OFAC in the early 2000s, recalled one former OFAC official, who was there at the time. Unclassified emails from the OFAC general counsel’s office were compromised, said the former official.

More recently, the Chinese government, which the United States views as its most significant long-term national security challenge, has been gaining access to critical infrastructure systems around the country to lay in wait in the event they one day want to physically disrupt those networks in a potential conflict with the West, officials said.

In this most recent case, the hackers appeared to be seeking information. They obtained access to unclassified Treasury documents by compromising a key that BeyondTrust used to secure a cloud-based service providing technical support, according to Hardikar’s letter to lawmakers disclosing the breach.

Compromising the key allowed the hackers to override security protocols and access a number of Treasury workstations, Hardikar said.

The Office of the Secretary contains a number of workstations and the computer of Treasury Secretary Janet L. Yellen was not known to be compromised, said two U.S. officials.

The hackers’ ability to compromise a security key used by government contractors is a recurring problem. A major hack of the State and Commerce departments last year, also attributed to Chinese cyberspies, was enabled in part by an outdated signing key that Microsoft failed to secure, according to an investigation by the Cyber Safety Review Board, a body of government and industry experts. In that incident, the Chinese government accessed unclassified emails of high-ranking officials including Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns, officials said.

The White House is finalizing an executive action that will address this issue, officials said.