‘Major incident’: China-backed hackers breached US Treasury workstations

‘Major incident’: China-backed hackers breached US Treasury workstations

‘Major incident’: China-backed hackers breached US Treasury workstations

US Treasury Department Confirms Chinese State-Sponsored Cyberattack on Workstations

The US Treasury Department alerted lawmakers on Monday about a significant breach involving a Chinese state-sponsored cyber actor, infiltrating Treasury workstations in what officials are calling a "major incident."

In a letter reviewed by CNN, Treasury official Aditi Hardikar confirmed that a third-party software provider informed the department on December 8 about a security breach. A threat actor, using a stolen key, gained remote access to certain Treasury workstations and unclassified documents.

“This incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Hardikar, the assistant secretary for management at the Treasury, stated in the letter.

A Treasury spokesperson told CNN that the affected service has been taken offline, and officials are collaborating with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA) to address the issue. The spokesperson also assured that there is no evidence indicating the actor still has access to Treasury systems or information.

The Treasury plans to conduct a classified briefing next week with staff from the House Financial Services Committee to provide further details on the breach, though the timing of the briefing is yet to be determined.

According to a letter sent to Senate Banking Committee leadership, the breach involved the third-party provider BeyondTrust, which secures cloud-based services used by the Treasury for technical support. Hackers exploited a stolen key to bypass the service’s security measures, gaining access to several Treasury user workstations and unclassified documents.

BeyondTrust confirmed that it identified the security breach on December 2 and began investigating after detecting "anomalous behavior" within its Remote Support product. The company notified affected customers on December 5 and updated its website on December 8 with information regarding the breach. BeyondTrust quarantined the compromised service and engaged an external cybersecurity team to investigate the incident further.

“No other BeyondTrust products were involved,” a spokesperson for the company said. “Law enforcement has been notified, and BeyondTrust is assisting with the investigation.”

The exact number of affected workstations is unclear, but Treasury officials confirmed that "several" user workstations were accessed.

Hardikar noted that under Treasury policy, breaches linked to advanced persistent threat actors are considered "major cybersecurity incidents." The department is required to provide a follow-up report within 30 days to update on the situation.

While the full scope of the breach is still under investigation, Treasury has been working closely with CISA, the FBI, US intelligence agencies, and third-party forensic experts to assess the impact.

“The engagement with CISA began immediately after Treasury was informed of the attack, and other governing bodies were contacted once the extent of the attack became clear,” Hardikar wrote in the letter.


This story has been updated with further developments and details on the breach.