China Has Hacked the US Government at Least Twelve Times Since 2014

Check out my latest CSO piece that breaks down some of the top spending items in the $30 billion allocated to the US military in the FY2025 NDAA.

Summary of the most critical infosec developments you should know today

• The Pentagon published a notice in the Federal Register listing firms that it deems to be operating in the United States for, or on behalf of, the Chinese military or that contribute to China’s military buildup, including China’s largest EV battery manufacturer and its largest tech firm, which will be barred from DoD contracts starting in June 2026.
• The UK government announced that creating and sharing sexually explicit "deepfakes" will become a criminal offense in Britain in a bid to tackle a surge in the proliferation of such images, mainly targeting women and girls.
• The US Cybersecurity and Infrastructure Security Agency said there was "no indication" the recently reported breach at the US Treasury Department by Chinese state-sponsored threat actors had affected any other federal agency
• US Treasury Secretary Janet Yellen met virtually with Chinese Vice Premier He Lifeng and raised concerns about "malicious cyber activity" carried out by Chinese state-sponsored actors.
• The US state of Washington sued T-Mobile over allegations that the phone giant failed to secure the personal data of millions of state residents before an August 2021 data breach affected more than 79 million customers across the country.
• The United Nations' civil aviation agency is investigating reports of a "potential information security incident" following a claim that tens of thousands of its records were stolen.
• Sources say Chinese-state-sponsored hackers penetrated the executive branch of the Philippines government and stole sensitive data as part of a yearslong campaign.
• Ontario Provincial Police in Canada are investigating an unspecified "cyber incident" that has affected the Kingston Police Service.
• The Fraunhofer Institute for Industrial Engineering IAO (Fraunhofer IAO) in Stuttgart, Germany, disclosed that its systems were targeted in a ransomware attack on 27 December 2024.
• Argentina’s airport security police (PSA) fell victim to a cyberattack that reportedly compromised its officers' and civilians' personal and financial data.
• California resident Ken Liem is suing three Asia-based banks over allegations they failed to conduct basic checks that might have prevented crypto scammers from defrauding him of nearly $1 million.
• Researchers at Kaspersky report that new variants of the Eagerbee malware framework are being deployed against government organizations and internet service providers (ISPs) in the Middle East.
• Researchers at Cyfirma report that a new Android data-stealing malware named ‘FireScam’ is being distributed as a premium version of the Telegram app via phishing websites on GitHub that mimic the RuStore, Russia's app market for mobile devices.
• Firmware in cellular routers, secure routers, and network security appliances made by Moxa are vulnerable to a pair of high-severity bugs that can escalate privileges for an attacker, give root-level access, or allow for unauthorized execution of commands.
• According to newly released data from Telegram, which has also become a hotbed for serious criminal activity, the popular social network and messaging app provided US authorities with data on more than 2,200 users last year.
• In late December 2024, New York Governor Kathy Hochul signed two bills into law updating the state's data breach notification requirements under its general business law.

As a reminder, on Tuesdays and Thursdays, our premium subscribers have full access to our original content, expansive summaries, intelligently clustered related articles, our best and worst things of the day, and our customary closing thoughts.

So, please consider upgrading your subscription today to access this content along with Metacurity's full archives.

There have been thirty breaches of the US federal government since 1996, twelve attributable to China

According to Metacurity’s research, the attack on the US Treasury by a Chinese state-sponsored threat actor is just the latest in a string of thirty significant breaches of federal government organizations or adjacent systems (see list and description below) that stretches back to 1996 when the Russian hacking group Turla, run by Russia’s FSB intel agency, launched a massive info-stealing operation on US military targets in an operation known as Moonlight Maze.

An examination of the thirty publicly reported breaches reveals the following observations:

• Nineteen of the breaches were affiliated with foreign threat actors, although in some cases, it’s not clear if the threat actor was tied to a foreign government.
• China tops the list of countries associated with these breaches, with twelve of the breaches either confirmed or strongly suspected as flowing from China.
• Russia is the second most frequent source of foreign-tied cyber incidents, with five of the twenty-seven breaches coming from Russian threat actors, starting with Moonlight Maze.
• Two cases were linked, at least in press reports, to unknown foreign actors.
• Vietnam and Iran were each associated with one major incident.
• Nine major government breaches, as reported by the press (with the likelihood that intel agencies ultimately determined the culprits), were associated with unknown actors.
• Teen hackers and an operational error each accounted for one incident.
• One major federal government incident was due to a non-state-affiliated hacker group. (The Dark Overlord).

Check out our timeline and breach summaries below for more details on these breaches. If any significant incident escaped our attention or something looks amiss, please drop us a line at info@metacurity.com.