- US Treasury reports 'major cyber incident' when Chinese hackers stole documents
- China calls these US allegations a 'smear attack' without factual basis
- China's interest in the activities of the Treasury Department deepens the suspicion
US Treasury reports 'major cyber incident' when Chinese hackers stole documents
Chine-state-sponsored hackers breached the systems of the US Treasury Department. Reports from Treasury officials state that malicious actors interfered with computer security guardrails this month and stole documents[1].
Hackers compromised the third-party security service provider BeyondTrust and managed to access unclassified documents. In the letter issued by officials, hackers gained access to the key used by the vendor to the secure cloud-based service used to provide technical support for the department and users remotely.
"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor, the letter said.
This key access helped hackers override the service's security and remotely access particular Treasury Departmental Offices (DO) user workstations. Then, access to the unclassified documents maintained by the specific users was easy.
According to the Treasury Department, BeyondTrust alerted them on December 8th and informed them about the breach. Since then, experts from the US Cybersecurity and Infrastructure Security Agency and the FBI have started to work to assess the impact of this hack.
China calls these US allegations a 'smear attack' without factual basis
Besides the letter issued as a report of this incident, the Treasury Department has not responded to questions from the media. CISA refers all the questions back to the Treasury Department.
A spokesperson for BeyondTrust, a company based in Johns Creek, Georgia, shared in an email to Reuters that they dealt with a security issue involving their remote support product in early December 2024.
They said they had identified the problem and taken steps to fix it. The company informed the small number of affected customers and reported the incident to law enforcement. BeyondTrust is also helping with the ongoing investigation[2].
As for the allegations that Chinese hackers are responsible, the Chinese Embassy in Washington rejects all allegations of involvement in the hack. They say that Beijing "firmly opposes the US's smear attacks against China without any factual basis."
However, various experts comment that the attack fits the pattern of China-state-backed hacker groups. Tom Hegel, a threat researcher, states that Chinese hackers commonly focus on abusing trusted third-party services.
China's interest in the activities of the Treasury Department deepens the suspicion
It has been known that Chinese officials are interested in the Treasury Department's activities, which oversees sensitive data about global financial systems. This is the department that also implements sanctions against Chinese firms. In recent years, these sanctions were implemented on particular firms that aid Russia in the war against Ukraine.
Chinese intelligence previously hacked email accounts used by Commerce Secretary Gina Raimondo while she was making decisions about new export controls on advanced semiconductors and other key technologies. The attack aimed to slow down Chinese firms' access to these technologies. Similar attacks were reported against targets in the State Department.
The revelation of a breach at the Treasury Department comes at a particularly sensitive time. The Biden administration is already dealing with one of the most extensive and damaging cyberattacks in recent history. In recent months, investigators uncovered that a highly skilled Chinese hacking group, known as Salt Typhoon, infiltrated at least nine U.S. telecommunications companies.
This breach exposed serious weaknesses in the U.S.'s patchy telecommunications infrastructure. The hackers accessed text messages and phone calls, including commercial, unencrypted lines used by prominent figures like President-elect Donald Trump, Vice President-elect J.D. Vance, and senior national security officials. It’s unclear if the hackers managed to listen to any specific conversations.
The Treasury Department said it worked closely with the FBI, intelligence agencies, and other investigators to assess the impact of the recent breach. The compromised system has been shut down, and the department stated there’s no evidence that Chinese hackers still have access to Treasury data.
A Treasury spokesperson emphasized the department's commitment to protecting its systems and the financial data they manage. They also stated the department is collaborating with private sector partners and government agencies to strengthen defenses against cyber threats[3].
The Treasury did not specify when the breach occurred but promised to share more information in an upcoming report to Congress.
