Chinese state-sponsored hackers breached U.S. Treasury Department computer security this month and stole documents in what Treasury officials called a “major incident,” according to a letter provided to Reuters on Monday.
The hackers compromised a third-party cybersecurity service provider, BeyondTrust, and were able to access unclassified documents, the letter said.
According to the article, the hackers “gained access to a key used by the vendor to secure a cloud-based service used by Treasury Department offices (DO) to provide remote technical support to end users. With access to the stolen key, the threat actor was able to bypass the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter said.
The Treasury Department said it was alerted to the breach by BeyondTrust on Dec. 8 and that it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the impact of the hack.
Treasury officials responded to emails seeking more details about the breach The FBI did not immediately respond to Reuters’ requests for comment, and CISA referred questions back to the Treasury Department.
“China has always opposed all forms of hacker attacks,” Mao Ning, a spokesman for China’s Foreign Ministry, said at a regular news briefing on Tuesday.
A spokesman for the Chinese Embassy in Washington denied any responsibility for the hacking, saying Beijing “firmly opposes the US’s smear attacks on China without any factual basis.”
A spokesman for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company “previously identified and took steps to resolve a security incident related to its remote support product in early December 2024.” BeyondTrust has “notified a limited number of affected customers” and has notified law enforcement, the spokesperson said. “BeyondTrust is assisting with investigative efforts.”
A statement on the company’s website shared some details of the investigation, noting that a digital key was compromised in the incident and that an investigation is ongoing, the spokesperson said. The statement was last updated on December 18.
Tom Hagel, a threat researcher at cybersecurity firm SentinelOne (S.N.), opens in a new tab, said the reported security incident “fits a well-documented pattern of operations by PRC-linked groups and focuses specifically on the misuse of trusted third-party services — a pattern that has become increasingly prominant in recent years,” he said, using an acronym for the People’s Republic of China.
