The Us Treasury Department confirmed on Monday that it had been breached by a China-based state-sponsored hacking group, in what officials are calling a “major incident.” According to a letter from the Treasury Department, the breach occurred after a third-party service provider, BeyondTrust, notified the department on December 8 about unauthorized access to certain Treasury workstations and unclassified documents.
The attack, attributed to a Chinese Advanced Persistent Threat (APT) actor, involved the theft of a key used by BeyondTrust to secure a cloud-based technical support service. This allowed the hackers to override security protocols, remotely access Treasury workstations, and access documents from departmental users.
A Treasury spokesperson assured that the compromised service had been taken offline, and they are working closely with law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), to investigate the breach. The spokesperson emphasized that there is no evidence suggesting that the hackers still have access to Treasury systems or data.
Treasury officials have planned a classified briefing for members of the House Financial Services Committee next week to discuss the breach in more detail, though the exact timing has not been confirmed.
The incident was first identified on December 2 when BeyondTrust noticed anomalous behavior in its Remote Support product, which was used by Treasury. The company confirmed the breach on December 5 and informed affected customers, including the U.S.
Treasury, by December 8. BeyondTrust has since quarantined the compromised service and engaged an external cybersecurity firm to investigate the issue. The company also notified law enforcement and has been cooperating with ongoing investigations.
While the exact number of affected workstations has not been disclosed, the Treasury letter confirmed that “several” Treasury user workstations were impacted. The breach is being classified as a “major cybersecurity incident,” and officials have stated they will provide updates in a 30-day supplemental report.
Treasury has been collaborating with CISA, the FBI, US. intelligence agencies, and third-party investigators to fully assess the scope and impact of the breach. The investigation is ongoing, and officials have yet to determine the full extent of the damage caused by the cyberattack.
