We’re barely into 2025 and the cybersecurity landscape is already demanding attention. In late December, the US Treasury Department confirmed it was breached by Chinese state-sponsored hackers through a compromised third-party service provider — BeyondTrust, a company specializing in, of all things, privileged access management. The irony isn’t lost on anyone in the security community.
This breach is part of the larger Salt Typhoon campaign that’s been making headlines since the fall. What started as reports of telecom infiltrations — with AT&T, Verizon, and T-Mobile among the targets — has now expanded to include federal agencies. The scope of this campaign is staggering, and it’s the kind of story that should make every engineer rethink their assumptions about supply chain security.
What Happened at Treasury#
The attack vector is particularly instructive. BeyondTrust, which provides remote support and privileged access solutions to government agencies, discovered that attackers had obtained a key used to secure their cloud-based remote technical support service. With that key, the attackers could override security controls and remotely access Treasury Department workstations and unclassified documents.
Let that sink in: a single compromised API key at a third-party vendor gave nation-state attackers access to federal government workstations. This isn’t a sophisticated zero-day exploit chain. It’s a supply chain compromise that leveraged trust relationships — the exact kind of attack that’s been the industry’s blind spot for years.
The Treasury Department has said the compromised service has been taken offline and there’s no evidence the attackers still have access. But the damage assessment is ongoing, and unclassified doesn’t mean unimportant — Treasury handles sensitive economic data, sanctions information, and financial intelligence.
The Supply Chain Problem Won’t Go Away#
If this feels like déjà vu, it should. SolarWinds in 2020. Kaseya in 2021. The MOVEit breach in 2023. The pattern is consistent: rather than attacking hardened primary targets directly, sophisticated adversaries compromise trusted vendors and ride those trust relationships into their actual targets.
What makes this particularly challenging is that organizations are being told to adopt zero-trust architectures while simultaneously being forced to extend trust to dozens of SaaS providers, managed service providers, and cloud vendors. The Treasury Department presumably followed federal security guidelines. They presumably vetted BeyondTrust. And yet here we are.
For those of us building and deploying software, this raises uncomfortable questions. How many third-party services have API keys or tokens that could provide similar access to our infrastructure? How would we even detect if one of those keys was compromised? Most organizations I’ve worked with have at best a partial inventory of their third-party integrations and the access levels those integrations have been granted.
The Telecom Dimension#
The broader Salt Typhoon campaign targeting telecommunications providers is arguably even more concerning. Reports suggest the attackers accessed call records, communications of specific targets (including individuals involved in government and political activities), and systems used for court-authorized wiretapping.
The telecom breaches highlight a fundamental tension in security policy. Governments mandate that telecom providers build lawful intercept capabilities — backdoors, essentially — and then act surprised when sophisticated adversaries find and exploit those same capabilities. The CALEA (Communications Assistance for Law Enforcement Act) infrastructure that enables wiretapping also creates a target for foreign intelligence services.
This is something I’ve argued about for years in various contexts: you cannot build a backdoor that only the “good guys” can use. Any deliberate weakness in a system is a weakness, period. The Salt Typhoon campaign is providing a very expensive real-world demonstration of this principle.
What Engineering Teams Should Do#
While most of us aren’t defending against nation-state actors directly, the lessons from Salt Typhoon apply broadly:
Audit third-party access. Map every external service that has credentials, API keys, or tokens providing access to your infrastructure. Understand what level of access each one has. Apply least privilege ruthlessly — if a monitoring service only needs read access to metrics, it shouldn’t have write access to anything.
Rotate credentials proactively. Don’t wait for a breach disclosure. Implement regular rotation of API keys and service account credentials. If a vendor can’t support credential rotation, that’s a red flag worth discussing.
Monitor for anomalous access patterns. The Treasury breach was initially detected by BeyondTrust itself. But organizations should have their own detection capabilities for unusual access patterns from third-party services — access at odd hours, from unexpected IP ranges, or to resources that aren’t typically accessed through that integration.
Evaluate vendor security posture. Ask your critical vendors about their own security practices. SOC 2 reports are a start, but they’re backward-looking. Ask about their incident response times, their own supply chain security practices, and how they’d notify you of a compromise.
My Take#
I’ve been in this industry long enough to remember when “perimeter security” was considered sufficient. We moved to defense-in-depth, then to zero trust, and yet we keep getting caught by the same fundamental problem: we have to trust something, and attackers are very good at finding and exploiting those trust relationships.
The Salt Typhoon campaign isn’t just a government problem or a telecom problem. It’s a preview of the threat landscape for 2025. State-sponsored groups are patient, well-resourced, and increasingly targeting the connective tissue between organizations rather than the organizations themselves.
If there’s one New Year’s resolution worth making for your engineering team, it’s this: spend a day mapping your third-party trust relationships and honestly assessing how a compromise at any one of them would affect your systems. The answer will probably keep you up at night — but that’s better than finding out the hard way.