The US Treasury Department disclosed a major cybersecurity incident where suspected Chinese state-sponsored hackers gained unauthorized access to its systems through a third-party software provider.
According to a letter sent to Senate officials, the breach occurred when threat actors compromised BeyondTrust, a remote technical support platform used by the Treasury Department. The attackers obtained a key that allowed them to bypass security measures and remotely access Treasury workstations and unclassified documents.
The Treasury Department was notified of the breach by BeyondTrust on December 8, 2024. The company had detected the compromise of an API key used in their Remote Support product on December 5 and immediately revoked access.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the incident, which has been attributed to a Chinese Advanced Persistent Threat (APT) group. The compromised BeyondTrust service has been taken offline, and there is no evidence of ongoing unauthorized access to Treasury systems.
This breach follows a pattern of sophisticated cyber attacks targeting US government agencies and critical infrastructure. Chinese hacking groups have recently been discovered inside at least nine different telecommunication networks in the United States.
BeyondTrust, which serves over 20,000 customers globally including 75% of Fortune 100 companies, stated that only their Remote Support product was affected and they are working with impacted customers on remediation efforts.
The Treasury Department spokesperson emphasized that the agency has strengthened its cyber defenses over the past four years and continues to work with private and public sector partners to protect the financial system from threats.