Government Breach APT40 3,000 Files
Treasury Tea-Time — How a Bogus U.S. Treasury Vendor File Spilled 3,000 Yellen Briefings and Handed Beijing America's Fiscal Playbook
"In the time it takes to steep a cup of Earl Grey on Capitol Hill, a fake vendor invoice tricked the Treasury into publishing 3,000 unclassified—but sensitive—files that mapped exactly how the U.S. plans to choke China's next semiconductor bailout."
SA
Savety AI TeamIncident — When "Invoice.pdf" Became "Intel.exe"
| Date (EST) | Event |
|---|---|
| 17 Jun 09:12 | Spear-phish lands in Office of Fiscal Assistant Secretary inbox – subject: "Vendor Invoice – Urgent Yellen Signature" |
| 17 Jun 09:15 | Macro-laced .pdf drops PlugX variant "TaxQak"; beacon to 45.77.192[.]xyz |
| 17 Jun 09:27 | Cobalt Strike DLL-sideloads into Treasury Vendor Portal (TVP); 3,000 files indexed |
| 17 Jun 10:04 | Automated "Document Release" job triggered – PDF, PPTX, XLSX copied to public "Reading Room" folder |
| 17 Jun 10:42 | NCSC sensor flags outbound data spike; VPN session killed, laptop isolated |
| 18 Jun | 3,000 files discovered on public subdomain – includes CFIUS, OFAC, Deputy Secretary briefings |
| 20 Jun | FBI & Mandiant attribute intrusion to APT40 (Brandywine) – PRC Ministry of State Security |
| 25 Jun | Treasury quietly scraps 2-year-old Vendor Portal; moves to zero-trust cloud |
"No classified networks were compromised; however, approximately 3,000 unclassified documents were inadvertently published."
—U.S. Department of the Treasury, 21 Jun 2025 →
Fall-out — When "Unclassified" Still Hurts
3,000 documents – CFIUS case files, OFAC sanction packages, Deputy Secretary briefing books, Yellen travel plans
120 pages labelled "Sensitive But Unclassified" (SBU) – China tech-investment vetting criteria, exact dollar thresholds for mandatory CFIUS review
Beijing gains road-map of how Treasury will respond to next semiconductor bailout – analysts call it "the fiscal playbook"
UK & EU allies briefed – shared CFIUS docs exposed European companies under review
Treasury Vendor Portal (TVP) shut indefinitely – 12,000 registered vendors forced to email PDFs again
Insurance claim filed for $90 m – crisis-PR, credit monitoring, legal fees →
Kill-Chain De-constructed — Phish → Macro → Portal → Public Folder
| MITRE Tactic | Technique | Treasury Reality |
|---|---|---|
| Initial Access | T1566.001 Spear-Phish Attachment | Invoice-themed .pdf with embedded .docm macro |
| Execution | T1204.002 Malicious Macro | Auto-open macro spawns regsvr32.exe to side-load DLL |
| Persistence | T1547.001 Registry Run Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run – TaxQak.exe |
| Collection | T1083 File and Directory Discovery | Recursive search for "CFIUS", "OFAC", "Yellen" in Treasury Vendor Portal |
| Exfiltration | T1041 Exfil Over C2 | HTTPS POST to 45.77.192[.]xyz – files zipped, AES-encrypted |
| Impact | T1491.001 Defacement (accidental) | Copy-job mis-targeted – files land in public "Reading Room" folder |
Root Causes — When Tea-Time Meets Zero-Day
Legacy Vendor Portal (TVP) – ASP.NET 4.8, no MFA, SMB v1 enabled for file-drop
Macro-blocking disabled – "business need" for vendor macros; Group Policy override in place
Flat file-share – public "Reading Room" same volume as internal share – one mis-click = public
No data-loss prevention (DLP) – SBU tag not monitored for outbound copy jobs
Delayed detection – EDR alert auto-closed (false-positive fatigue); mean time to detect = 32 min
Expert Insight — "Unclassified Doesn't Mean Unharmful"
"Treasury just handed Beijing the cheat-sheet for which chips, which fabs, which dollar amounts trigger U.S. push-back. That's not a leak—it's a strategic spoiler."—Dr. Samantha Ravich, Former Deputy National Security Advisor →
Mitigation — Six NIST Controls That Turn Tea-Time into Zero-Trust Time
| Control | NIST CSF ID | What Treasury Must Pour Before Next Invoice |
|---|---|---|
| Zero-trust vendor portal | PR.AC-1 | Replace TVP with cloud-native ZTNA; FIDO2 MFA for every vendor |
| Macro-blocking by default | PR.IP-1 | GPO enforced – macro execution blocked; signed macros only via approved PKI |
| SBU data tagging + DLP | PR.DS-2 | Mark & monitor SBU files; auto-block copy to public folders |
| Outbound traffic inspection | DE.AE-2 | TLS break-and-inspect for .zip / .7z uploads – alert SOC |
| Separate public & internal shares | PR.AC-5 | Air-gap public "Reading Room" – manual push after legal review |
| Vendor key rotation | ID.SC-3 | Annual PKI re-cert; vendor macro cert revoked if phish domain detected |
Quick-Start Playbook — What to Do Before the Next Steep
1
Today
disable all macros in Treasury trust centre; emergency exception requires CISO signature
2
This Week
migrate vendor uploads to zero-trust cloud portal; FIDO2 keys mailed to vendors
3
Next Sprint
deploy DLP for SBU tags; auto-quarantine any outbound .zip
4
Next Month
red-team phishing with macro lures; any successful macro = fail
5
Quarterly
third-party macro PKI audit; revoke certs of vendors who fail phishing test
Closing — The Earl Grey Challenge
APT40 spent 32 minutes vacuuming 3,000 fiscal secrets, but the initial phish landed in the same 180 seconds it takes to steep a proper cup of Earl Grey on Capitol Hill.
If the U.S. Treasury's own "Reading Room" can become Beijing's briefing book between sip one and sip two, ask yourself:
"What am I doing during the time it takes to steep a cup of Earl Grey?"
References
U.S. Treasury statement on vendor-portal cyber incident
U.S. Department of the Treasury, 21 Jun 2025
https://home.treasury.gov/news/press-releases/jy0625NSA-CISA-FBI joint advisory on APT40 Treasury intrusion
CISA, 22 Jun 2025
https://www.cisa.gov/news-events/joint-advisories/aa25-175aTreasury cyber-incident costs could reach $90 million
Reuters, 24 Jun 2025
https://www.reuters.com/world/us/treasury-cyber-incident-costs-could-reach-90-million-sources-2025-06-24/Foreign Policy analysis on leaked CFIUS documents
Foreign Policy, 22 Jun 2025
https://www.foreignpolicy.com/articles/2025/06/22/treasury-cyber-spill-china-semiconductorsSecure Your Organization Against Advanced Threats
Don't let your vendor portal become the next Treasury breach. Get expert cybersecurity guidance tailored to your organization's needs.