The U.S. Treasury Department has confirmed a major cybersecurity breach attributed to Chinese state-sponsored hackers. The attackers gained access to several Treasury workstations and unclassified documents by exploiting vulnerabilities in a third-party software service provider, BeyondTrust. The breach, which Treasury officials classified as a "major cybersecurity incident," has intensified concerns over cybersecurity threats from foreign actors.
The incident was first detected on December 8, when BeyondTrust alerted the Treasury about the unauthorized use of a stolen key to override security measures. This allowed the hackers to remotely access specific user workstations. In a letter to lawmakers, Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, stated, "Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor."
Although the exact extent of the data compromised remains unclear, the Treasury has stated that there is no evidence suggesting the hackers retain ongoing access to department information. BeyondTrust, the software vendor implicated in the breach, has suspended the affected services and initiated an investigation with the assistance of external cybersecurity experts. The company noted that the compromised service was limited to its Remote Support product and assured that no other products were impacted.
In Beijing, Chinese Foreign Ministry spokesperson Mao Ning dismissed the allegations as "groundless accusations lacking evidence." She reiterated China's opposition to all forms of cyberattacks and accused the U.S. of disseminating false information for political purposes. Despite these denials, U.S. intelligence agencies and cybersecurity experts continue to link the breach to state-sponsored actors.
"China consistently opposes all forms of hacking and is even more opposed to the dissemination of false information against China for political purposes," Mao said.
The Treasury Department is collaborating with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and other federal agencies to assess the full scope and impact of the breach. Hardikar indicated that CISA was engaged immediately after the attack was discovered, emphasizing the department's commitment to safeguarding critical systems. Treasury officials are also working on a supplemental report, required within 30 days, to provide further details about the incident.
The breach is not the first high-profile cyberattack targeting U.S. government systems. It follows a series of incidents attributed to Chinese hackers, including the recent "Salt Typhoon" campaign that compromised private communications of U.S. telecommunications companies. These ongoing attacks underscore the growing sophistication and persistence of foreign cyber adversaries.
While the Treasury has made significant strides in bolstering its cybersecurity defenses over the past four years, this incident highlights the vulnerabilities inherent in relying on third-party service providers. The breach has raised questions about the adequacy of current security measures and the need for stricter oversight of vendor relationships.
