The US Treasury Department has revealed that hackers, allegedly backed by the Chinese government, infiltrated its workstations in what officials are calling a “major cybersecurity incident.” The breach, which the department disclosed to lawmakers on Monday, involved the use of a stolen security key to access certain Treasury systems and unclassified documents.
According to a letter reviewed by CNN, the Treasury was notified of the intrusion on December 8 by BeyondTrust, a third-party software service provider. The hackers reportedly exploited the stolen key to override security measures and remotely access several departmental workstations.
Aditi Hardikar, the Treasury’s assistant secretary for management, attributed the breach to a Chinese state-sponsored Advanced Persistent Threat (APT) actor. In the letter, Hardikar described the incident as significant, noting that such intrusions are classified as “major cybersecurity incidents” under Treasury policy.
Treasury responds to the breach
Following the disclosure, the Treasury Department took immediate action, taking the compromised service offline and coordinating with law enforcement, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and intelligence agencies to investigate the breach.
“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” a Treasury spokesperson told CNN. However, the full scope of the breach and its potential damage remain unclear.
BeyondTrust, the software provider implicated in the incident, said the attack targeted its Remote Support product. The company identified and confirmed “anomalous behavior” in the product on December 5 and subsequently notified affected customers. It has since quarantined the impacted instances, suspended the service, and hired an external cybersecurity team to assist in the investigation.
“No other BeyondTrust products were involved,” a spokesperson for the company stated, adding that law enforcement is actively investigating the incident.
Classified briefing planned
The Treasury has scheduled a classified briefing with staffers from the House Financial Services Committee to discuss the breach in detail. While the exact date of the briefing has not yet been determined, it underscores the seriousness of the incident.
Hardikar’s letter also outlined the department’s ongoing efforts to fully understand the scope of the attack. The investigation involves collaboration with multiple federal agencies, including CISA, the FBI, and third-party forensic experts.
The department has committed to providing a 30-day supplemental report to Congress with additional details about the breach and its impact.
Chinese government denies involvement
China’s Foreign Ministry has denied the accusations, dismissing them as baseless. Speaking at a regular news briefing on Tuesday, ministry spokesperson Mao Ning said, “We have repeatedly stated our position on such groundless accusations lacking evidence. China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes.”
Despite these denials, the breach has heightened tensions between the United States and China, particularly in the realm of cybersecurity.
Details of the attack
The breach involved a stolen security key used by BeyondTrust to secure a cloud-based service that the Treasury relies on for technical support. Hackers used this key to bypass security protocols and gain unauthorized access to departmental user workstations.
The exact number of infiltrated workstations has not been disclosed, though a Treasury spokesperson confirmed that “several” were compromised. The accessed documents were classified as unclassified, but officials have not clarified whether sensitive information was among the materials stolen.
BeyondTrust publicly addressed the attack on its website on December 8, outlining steps taken to mitigate future threats. The company has continued to update its investigation progress as it works with law enforcement and cybersecurity experts.
Broader implications
The breach represents the latest in a series of high-profile cyberattacks targeting US government agencies. It highlights ongoing vulnerabilities in third-party software services, which are increasingly being exploited by advanced threat actors.
The Treasury’s swift acknowledgment of the incident and its collaboration with federal agencies underscore the heightened awareness of cybersecurity risks across the federal government. However, the incident also raises questions about the effectiveness of existing safeguards and the preparedness of agencies to respond to such sophisticated attacks.
As investigations continue, the incident serves as a stark reminder of the escalating cyber tensions between the United States and China, with cybersecurity remaining a critical battleground in the broader geopolitical rivalry.