The U.S. Treasury informed lawmakers in a letter on Monday that it had been targeted in a cyberattack earlier in December, which the department has linked to Chinese government-backed hackers. According to the letter, which was shared with senior U.S. House lawmakers and reviewed by TechCrunch, the hackers successfully gained remote access to certain Treasury employee workstations. While the breach involved unclassified documents, the Treasury labeled the incident a “major cybersecurity incident.”
The attack underscores ongoing concerns about foreign cyber threats, especially from state-sponsored groups, and raises questions about the security of sensitive government data. While the documents accessed were unclassified, the breach highlights vulnerabilities within critical government infrastructure and could have far-reaching implications for national security and diplomatic relations.The Treasury has since initiated a response, working to mitigate the breach and secure its systems, but the full extent of the attack and its potential impact on U.S. operations remains unclear.The U.S. Treasury was notified on December 8 by BeyondTrust, a company that provides identity access and remote support technology to large organizations and government departments, that hackers had gained access to a key used by the vendor for providing remote access technical support to Treasury employees.
This notification followed BeyondTrust’s disclosure of the breach, although the company did not specify how the key was obtained.The compromised key allowed the attackers to gain unauthorized access to Treasury workstations, marking a significant vulnerability in the Treasury’s remote support infrastructure. This breach adds to concerns about the security of third-party vendors and their access to sensitive government systems. BeyondTrust’s involvement in the incident highlights the risks posed by such external partnerships, where the compromise of a single vendor’s system can lead to widespread access to critical networks and data.The Treasury has not disclosed the full scope of the attack, including whether any classified or highly sensitive information was accessed. However, the breach has raised alarms about potential espionage or other malicious activities tied to the Chinese government-backed hackers. The Treasury continues to investigate the incident while strengthening its cybersecurity measures.
A spokesperson for BeyondTrust did not respond to a request for comment at the time of press.The U.S. Treasury stated in the letter that it engaged the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for assistance following the breach. As of December 30, the Treasury reported that there was no evidence to suggest the threat actor retained access to Treasury systems or information.The Treasury confirmed that the breach was attributed to a Chinese state-sponsored advanced persistent threat (APT) group, indicating that the attack was backed by the Chinese government. However, the Treasury did not specify which particular APT group was responsible for the intrusion, and a spokesperson declined to provide further details on the identity of the attackers.The involvement of a state-sponsored group raises significant concerns about the scale and intent of the attack, suggesting a highly coordinated and sophisticated operation aimed at accessing government networks.Despite the lack of clarity on which group was responsible, the incident underscores ongoing tensions between the U.S. and China over cyber espionage and the security of critical government infrastructure.
In a brief statement, Treasury spokesperson Michael Gwin confirmed that hackers were able to “remotely access several Treasury user workstations and certain unclassified documents maintained by those users.”Gwin emphasized the seriousness with which the Treasury treats all cyber threats, particularly those targeting its systems and the sensitive data they hold. “Treasury takes very seriously all threats against our systems, and the data it holds. Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” the spokesperson said.This incident adds to a growing list of cyberattacks linked to China targeting U.S. government entities. A recent campaign attributed to China-backed hackers, known as Salt Typhoon, involved a wave of attacks against U.S. telecommunications companies, including AT&T and Verizon. The goal of these attacks appeared to be gaining access to sensitive communications, including those of senior U.S. government officials, such as presidential candidates.
In response to the Treasury’s attribution of the attack to Chinese state-sponsored hackers, Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., denied the U.S. government’s claims, stating that the United States had not provided sufficient evidence to support the allegation. This denial is consistent with China’s previous responses to similar accusations of cyber espionage, which they frequently dismiss as unsubstantiated.