The U.S. Department of Treasury disclosed a major cybersecurity breach in a letter to the Senate Banking Committee on Monday, revealing that Chinese state-sponsored hackers gained unauthorized access to Treasury workstations and unclassified documents earlier this month.
The breach occurred through BeyondTrust, a third-party cybersecurity service provider used by the Treasury for remote technical support. According to Treasury officials, the attackers obtained a key that allowed them to bypass security measures and remotely access Treasury workstations.
BeyondTrust detected suspicious activity on December 2 and confirmed the breach on December 5. The company notified Treasury of the incident on December 8 and completed patching affected systems by December 16.
The Treasury Department has classified this as a "major incident" under federal information security laws. In response, the department has:
- Taken the compromised BeyondTrust service offline
- Engaged the FBI and Cybersecurity and Infrastructure Security Agency (CISA)
- Launched an investigation with intelligence agencies and forensic experts
- Committed to providing Congress with additional details within 30 days
"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat actor," wrote Aditi Hardikar, Treasury's assistant secretary for management, in the letter to Senate leaders.
This breach follows recent revelations about Chinese hackers compromising U.S. telecommunications infrastructure through operation "Salt Typhoon," which reportedly gave Beijing access to communications of high-ranking U.S. officials.
The Treasury Department maintains that the threat actor no longer has access to their systems or information, though the full scope of the breach remains under investigation.