U.S. officials have disclosed a state-sponsored Chinese hacker infiltrated the U.S. Treasury Department’s systems, gaining access to employee workstations and some unclassified documents.
The breach, which occurred in early December, was revealed in a letter the Treasury Department sent to lawmakers notifying them of the incident.
The department classified the intrusion as a “major incident” and stated that it has been collaborating with the FBI and other agencies to assess the breach’s scope and consequences.
The Treasury’s letter detailed that the breach was enabled by a key associated with a third-party service provider, BeyondTrust, which offers remote technical support. Hackers were able to gain access to a key used by the vendor to override certain parts of the system. BeyondTrust’s systems have since been taken offline. Officials confirmed there is no evidence that the hacker has continued to access Treasury systems.
After the alert from BeyondTrust, the treasury department contacted the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and external forensic investigators. The agencies are currently working with the department to determine the breach’s full impact. Preliminary findings suggest the attack was conducted by a “China-based Advanced Persistent Threat (APT) actor,” according to officials.
“In line with Treasury policy, intrusions attributed to an APT are treated as major cybersecurity incidents,” the letter to lawmakers stated.
The department became aware of the hack on December 8, after being notified by BeyondTrust. The company had detected suspicious activity on December 2 but took three days to confirm it was under attack.
During this period, the hacker reportedly gained remote access to multiple user workstations and certain unclassified documents stored on them. The Treasury has not disclosed the specific content or sensitivity of the accessed files, nor has it clarified the breach’s duration or the hierarchy of affected systems.
It appears the threat actors exploited this access to intercept text messages, voicemails, and phone calls of specific targets, as well as to retrieve wiretap information related to individuals under law enforcement investigation.
Experts note that access to low-level user accounts may hold less strategic value compared to a smaller number of high-ranking accounts. It is also possible the hacker created new accounts or altered passwords during the time they were active.
Officials believe the operation was likely espionage-oriented, focused on gathering intelligence rather than financial theft.
“The Treasury Department takes all threats to its systems and the data it holds very seriously,” a department spokesperson said, adding that efforts to secure its systems against external threats are ongoing.
The department plans to submit a supplemental report on the breach to lawmakers within 30 days.
Chinese embassy spokesperson Liu Pengyu contested the allegations, arguing that attributing cyber incidents to specific actors is inherently challenging.
“We hope relevant parties will approach cyber incidents professionally and responsibly, basing their conclusions on substantial evidence rather than unfounded speculation and accusations,” Liu said in a statement.
“The U.S. should stop using cybersecurity as a tool to smear China and spreading disinformation about so-called Chinese hacking threats.”
This breach is the latest in a series of high-profile cybersecurity incidents linked to Chinese espionage groups. It follows another December attack targeting telecom companies, potentially compromising phone records across significant portions the U.S population.
Source: https://www.linkedin.com/pulse/us-treasury-hacked-peoples-republic-china-prc-major-2lsxe/
