U.S. Department of the Treasury Vendor Cyber Rating & Cyber Score

treasury.gov
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

The Treasury Department is the executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States. The Department is responsible for a wide range of activities such as advising the President on economic and financial issues, encouraging sustainable economic growth, and fostering improved governance in financial institutions. The Department of the Treasury operates and maintains systems that are critical to the nation's financial infrastructure, such as the production of coin and currency, the disbursement of payments to the American public, revenue collection, and the borrowing of funds necessary to run the federal government. The Department works with other federal agencies, foreign governments, and international financial institutions to encourage global economic growth, raise standards of living, and to the extent possible, predict and prevent economic and financial crises. The Treasury Department also performs a critical and far-reaching role in enhancing national security by implementing economic sanctions against foreign threats to the U.S., identifying and targeting the financial support networks of national security threats, and improving the safeguards of our financial systems.

U.S. Department of the Treasury A.I CyberSecurity Scoring

UDT

Company Details

Linkedin ID:

us-treasury

Website:

https://home.treasury.gov/

Employees number:

14,324

Number of followers:

152,701

NAICS:

92

Industry Type:

Government Administration

Homepage:

treasury.gov

IP Addresses:

Scan still pending

Company ID:

U.S_1802045

Scan Status:

In-progress

AI scoreUDT Risk Score (AI oriented)

Between 550 and 599

https://images.rankiteo.com/companyimages/us-treasury.jpeg
UDT Government Administration
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreUDT Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/us-treasury.jpeg
UDT Government Administration
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

U.S. Department of the Treasury

Very Poor
Current Score
591
Ca (Very Poor)
01000
6 incidents
-19.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
591
MARCH 2026
589
FEBRUARY 2026
587
JANUARY 2026
583
DECEMBER 2025
579
NOVEMBER 2025
575
OCTOBER 2025
571
SEPTEMBER 2025
566
AUGUST 2025
580
Cyber Attack
22 Aug 2025 • U.S. Treasury's Office of Foreign Assets Control (OFAC)
Murky Panda (Silk Typhoon) Exploits Trusted Cloud Relationships for Cyberespionage

The Chinese state-sponsored hacking group **Murky Panda (Silk Typhoon)** exploited trusted cloud relationships and zero-day vulnerabilities to breach the **U.S. Treasury’s Office of Foreign Assets Control (OFAC)**. By compromising a SaaS provider’s cloud environment, the attackers gained access to application registration secrets in **Entra ID (formerly Azure AD)**, allowing them to authenticate as a legitimate service and infiltrate downstream networks. This enabled them to **read sensitive emails, steal confidential government data, and maintain persistent access** through backdoor accounts with escalated privileges.The attack leveraged **supply chain vulnerabilities**, abusing delegated administrative privileges (DAP) granted to cloud providers, which allowed Murky Panda to move laterally across multiple tenants. Their use of **custom malware (CloudedHope RAT), web shells (Neo-reGeorg, China Chopper), and compromised SOHO devices as proxies** ensured stealthy, long-term access while evading detection. The breach posed a **severe risk to national security**, given OFAC’s role in enforcing economic sanctions and combating financial threats. The attackers’ **operational security (OPSEC) measures**, including log tampering and timestamp manipulation, further obscured forensic traces, amplifying the threat’s sophistication and impact.

561
critical -19
US-526082425
Incident Details -
Type
cyberespionage supply chain attack cloud compromise
Attack Vector
exploitation of trusted cloud relationships (SaaS providers, Microsoft CSPs) zero-day vulnerabilities (e.g., Citrix NetScaler CVE-2023-3519, Ivanti Pulse Connect CVE-2025-0282) ProxyLogon (Microsoft Exchange) compromised SOHO devices as proxies web shells (Neo-reGeorg, China Chopper) custom Linux RAT (CloudedHope)
Vulnerability Exploited
CVE-2023-3519 (Citrix NetScaler) ProxyLogon (Microsoft Exchange) CVE-2025-0282 (Ivanti Pulse Connect VPN) zero-day vulnerabilities in SaaS provider cloud environments Entra ID application registration secrets Delegated Administrative Privileges (DAP) in Microsoft cloud solutions
Motivation
cyberespionage (targeting government, technology, legal, and professional services for sensitive data)
Impact
emails sensitive organizational data application data cloud environments (Microsoft Entra ID, SaaS providers) downstream customer networks compromised SOHO devices (used as proxies) servers with deployed web shells (Neo-reGeorg, China Chopper) Operational Impact: long-term stealthy access for data exfiltration, persistence via backdoor accounts Brand Reputation Impact: high risk for targeted organizations (government, legal, professional services)
Response
CrowdStrike (investigation/reporting) recommended: monitor Entra ID service principal sign-ins, enforce MFA for cloud accounts, patch cloud infrastructure
Data Breach
emails sensitive organizational data application data Sensitivity Of Data: high (government, legal, and professional services data)
Lessons Learned
Trusted cloud relationships (e.g., SaaS providers, CSPs with DAP) are high-value targets for APT groups. Zero-day exploits in cloud environments enable stealthy lateral movement to downstream customers. Monitoring for unusual Entra ID service principal activity is critical for detecting abuse of trusted relationships. Compromised SOHO devices can be repurposed as proxies to evade geographic-based detection. Custom malware (e.g., CloudedHope RAT) and open-source tools (e.g., Neo-reGeorg) are used for persistence.
Recommendations
Monitor Entra ID logs for anomalous service principal sign-ins. Enforce multi-factor authentication (MFA) for all cloud provider accounts, especially those with administrative privileges. Promptly patch cloud-facing infrastructure, including zero-day vulnerabilities. Restrict delegated administrative privileges (DAP) and review Admin Agent group memberships. Segment cloud environments to limit lateral movement via trusted relationships. Deploy behavioral detection for web shells (e.g., Neo-reGeorg, China Chopper) and custom malware. Audit and rotate application registration secrets in Entra ID. Monitor for traffic originating from compromised SOHO devices.
Investigation Status
ongoing (per CrowdStrike and Microsoft reports)
Customer Advisories
Organizations relying on cloud/SaaS providers advised to review trust models and monitoring practices.
Initial Access Broker
compromised cloud service providers (SaaS, Microsoft CSPs) zero-day vulnerabilities in cloud environments internet-exposed devices (Citrix NetScaler, Ivanti VPN, Microsoft Exchange) compromised SOHO devices (as proxies) custom backdoor accounts in customer Entra ID environments Neo-reGeorg/China Chopper web shells CloudedHope RAT government agencies (e.g., OFAC, CFIUS) technology and legal firms academic institutions professional services with sensitive data
Post Incident Analysis
Over-reliance on trusted cloud relationships without sufficient monitoring. Lack of visibility into delegated administrative privileges (DAP) in cloud environments. Delayed patching of zero-day vulnerabilities in cloud-facing infrastructure. Insufficient detection for web shells and custom malware in compromised systems. Implement stricter access controls for cloud provider accounts (e.g., least privilege, MFA). Enhance logging and monitoring for Entra ID and other identity providers. Conduct regular audits of third-party cloud provider access and permissions. Deploy advanced threat detection for post-exploitation tools (e.g., RATs, web shells). Isolate SOHO devices from corporate networks to prevent proxy abuse.
References
Blog URL Source URL
JULY 2025
577
JUNE 2025
573
MAY 2025
569
MARCH 2025
627
Breach
01 Mar 2025 • US Treasury
Breach of US Treasury by Chinese Hackers

The breach of the US Treasury by Chinese hackers, including 12 individuals indicted by the Department of Justice, resulted in significant data compromise. Over a three-month period, at least 400 PCs were infiltrated leading to the theft of more than 3,000 files. This attack highlights the risk posed by autonomous state-sponsored hacking groups who target and steal sensitive information from high-profile international entities, selling it to government clients for strategic advantages.

556
critical -71
US-000030825
Incident Details -
Type
Data Breach
Motivation
Espionage Strategic Advantage
Impact
Data Compromised: More than 3,000 files Systems Affected: At least 400 PCs
Data Breach
Type Of Data Compromised: Sensitive information Number Of Records Exposed: More than 3,000 files Sensitivity Of Data: High
Regulatory Compliance
12 individuals indicted by the Department of Justice
Initial Access Broker
Reconnaissance Period: Three-month period
References
Blog URL Source URL
JANUARY 2025
682
Breach
01 Jan 2025 • United States Treasury
United States Treasury Breach

The United States Treasury suffered a 'major' breach when an Advanced Persistent Threat group, believed to be linked to the Chinese government, exploited flaws in BeyondTrust software. The attackers stole an authentication key, gaining access to department computers and managing to steal 'certain unclassified documents'. While classified as unclassified, the breach's full extent and subsequent risks, such as exposure to financial manipulations and international diplomatic consequences, are still under assessment.

621
critical -61
US-000011025
Incident Details -
Type
Data Breach
Attack Vector
Exploited flaws in BeyondTrust software
Vulnerability Exploited
Authentication key theft
Motivation
Data Theft
Impact
Data Compromised: Unclassified documents Systems Affected: Department computers
Data Breach
Type Of Data Compromised: Unclassified documents Sensitivity Of Data: Unclassified
Initial Access Broker
Entry Point: BeyondTrust software
Post Incident Analysis
Root Causes: Flaws in BeyondTrust software
References
Blog URL Source URL
DECEMBER 2024
741
Breach
01 Dec 2024 • US Treasury Department
US Treasury Department Breach

A breach in early December 2024 at the US Treasury Department involved remote access by hackers to Treasury computers, compromising certain unclassified documents. By exploiting vulnerabilities in remote support software from BeyondTrust, identified as CVE-2024-12356 and CVE-2024-12686, attackers stole an authentication key, enabling system access. Despite the breach being attributed to a Chinese state-sponsored APT actor, no ongoing access was found. The incident sparked collaborations with FBI, CISA, and intelligence agencies for a comprehensive evaluation.

680
critical -61
US-000010125
Incident Details -
Type
Breach
Attack Vector
Remote Access
Vulnerability Exploited
CVE-2024-12356 CVE-2024-12686
Motivation
Data Theft
Impact
Data Compromised: Unclassified documents Systems Affected: Treasury computers
Response
FBI CISA intelligence agencies
Data Breach
Type Of Data Compromised: Unclassified documents Sensitivity Of Data: Low
Initial Access Broker
Entry Point: Remote support software from BeyondTrust
Post Incident Analysis
Root Causes: Vulnerabilities in remote support software
References
Blog URL Source URL
DECEMBER 2022
734
Cyber Attack
01 Dec 2022 • U.S. Department of the Treasury
Hacking Attacks Against US Federal Entities

Companies suffered as a result of hacking attacks against US federal entities, affected departments included the US Department of Homeland Security, the Department of Commerce, and the Department of the Treasury. Early this year, Iranian government-sponsored hackers, including the FBI and CISA, gained access to a network of an unnamed US federal agency and used the Log4Shell vulnerability to install crypto miners and use stolen passwords. According to the advisory, "Cyber threat actors advanced to the domain controller (DC), compromised credentials, implanted Ngrok reverse proxies on multiple hosts to maintain persistence, and then exploited the Log4Shell vulnerability in an unpatched VMware Horizon server to install XMRig crypto mining software.

715
critical -19
USD13361222
Incident Details -
Type
Hacking
Attack Vector
Log4Shell vulnerability Stolen passwords Ngrok reverse proxies
Vulnerability Exploited
Log4Shell vulnerability in an unpatched VMware Horizon server
Motivation
Cryptocurrency mining
Impact
Domain controller (DC) Multiple hosts VMware Horizon server
Response
FBI CISA
Initial Access Broker
Entry Point: Log4Shell vulnerability Backdoors Established: Ngrok reverse proxies Domain controller (DC) VMware Horizon server
Post Incident Analysis
Root Causes: Unpatched VMware Horizon server
References
Blog URL Source URL
JANUARY 2018
784
Breach
01 Jan 2018 • Booz Allen Hamilton, Internal Revenue Service and U.S. Department of the Treasury: Feds yank contracts with Booz Allen Hamilton after Trump tax leak
Treasury Cancels Booz Allen Hamilton Contracts After Massive Tax Data Leak

**Treasury Cancels Booz Allen Hamilton Contracts After Massive Tax Data Leak** The U.S. Department of the Treasury announced on Monday the termination of all contracts with consulting firm Booz Allen Hamilton following a major breach involving the leak of sensitive tax information. The decision comes after former IRS contractor Charles Edward Littlejohn, who worked for Booz Allen, was sentenced in 2024 to five years in prison for disclosing confidential tax records including those of former President Donald Trump to media outlets. Between 2018 and 2020, Littlejohn provided stolen tax data to *The New York Times* and *ProPublica*, an act prosecutors described as "unparalleled in the IRS's history." The breach exposed records belonging to approximately 406,000 individuals, though the Treasury’s statement did not explicitly mention Trump’s leaked returns. Treasury Secretary Scott Bessent stated that the cancellation was necessary to "increase Americans' trust in government," citing Booz Allen’s failure to implement adequate safeguards for sensitive taxpayer data. The department had 31 active contracts with the firm, totaling $4.8 million in annual spending and $21 million in total obligations. Court documents revealed that Littlejohn intentionally sought the contractor role to access Trump’s tax returns, using his technical skills to extract data without detection. At his sentencing in January 2024, he acknowledged his actions, stating, *"I used my skills to systematically violate the privacy of thousands of people."* Booz Allen Hamilton has not yet commented on the termination.

639
critical -145
BOOIRSUS-1769454012
Incident Details -
Type
Data Breach
Attack Vector
Insider Threat
Vulnerability Exploited
Inadequate safeguards for sensitive data
Motivation
Intentional disclosure to media outlets
Impact
Financial Loss: $21 million (total contract obligations) Data Compromised: Sensitive tax records Systems Affected: IRS tax record systems Operational Impact: Termination of contracts with Booz Allen Hamilton Brand Reputation Impact: Loss of trust in government and contractor Identity Theft Risk: High
Response
Law Enforcement Notified: Yes Containment Measures: Termination of contracts Communication Strategy: Public statement by Treasury Secretary
Data Breach
Type Of Data Compromised: Tax records Number Of Records Exposed: 406,000 Sensitivity Of Data: High (confidential taxpayer information) Data Exfiltration: Yes Personally Identifiable Information: Yes
Regulatory Compliance
Legal Actions: Criminal prosecution of Charles Edward Littlejohn
Lessons Learned
Need for improved safeguards and monitoring of contractors with access to sensitive data
Recommendations
Enhance insider threat detection, implement stricter access controls, and conduct regular audits of contractor activities
Investigation Status
['Completed (sentencing of threat actor)']
Stakeholder Advisories
Public statement by Treasury Secretary Scott Bessent
Initial Access Broker
High Value Targets: Former President Donald Trump's tax returns
Post Incident Analysis
Root Causes: Inadequate safeguards for sensitive data, insider threat exploitation Corrective Actions: Termination of contracts with Booz Allen Hamilton
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for U.S. Department of the Treasury is 591, which corresponds to a Very Poor rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 589.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 587.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 583.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 579.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 575.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 571.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 566.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 580.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 577.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 573.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 569.

Over the past 12 months, the average per-incident point impact on U.S. Department of the Treasury’s A.I Rankiteo Cyber Score has been -19.0 points.

You can access U.S. Department of the Treasury’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/us-treasury.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view U.S. Department of the Treasury’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/us-treasury.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.