China-Backed Hackers Breach U.S. Treasury Workstations in Major Cybersecurity Incident
The U.S. Treasury Department has confirmed a significant cybersecurity breach after China-backed hackers infiltrated Treasury workstations. Officials are calling it a “major incident” that has raised concerns over the security of sensitive government data.
The Breach Unfolds
On December 8, the Treasury was alerted by a third-party software provider, BeyondTrust, about a possible security breach. The company reported that a threat actor, using a stolen key, remotely accessed certain Treasury workstations and unclassified documents.
In a letter reviewed by CNN, Aditi Hardikar, the Assistant Secretary for Management at the U.S. Treasury, confirmed that the breach has been attributed to a Chinese state-sponsored group, specifically an Advanced Persistent Threat (APT) actor.
What Happened?
The compromised third-party software provider, BeyondTrust, manages a cloud-based service used by Treasury for technical support. The hackers exploited access to a key used to secure the service, bypassing security measures to remotely access Treasury workstations. The affected workstations contained unclassified documents.
BeyondTrust detected an anomaly on December 2 involving its Remote Support product, and after confirming suspicious activity by December 5, the company notified affected clients, including the U.S. Treasury. On December 8, BeyondTrust made the information public and has since been investigating the incident with the help of a third-party cybersecurity team.
Response and Ongoing Investigation
In response to the breach, the compromised service has been taken offline, and Treasury officials are working closely with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA). According to the Treasury, there is no evidence suggesting that the hackers currently have access to Treasury systems or information.
Officials plan to hold a classified briefing with staff from the House Financial Services Committee next week to discuss the breach in detail, though the exact timing has not yet been set.
BeyondTrust’s Role in the Breach
The breach occurred through a key used by BeyondTrust to secure Treasury’s cloud-based technical support service. Once the hackers gained access to this key, they were able to override the service’s security measures, accessing several Treasury workstations and unclassified documents.
BeyondTrust, in a statement, confirmed that only its Remote Support product was involved in the breach. They quickly quarantined the affected instances, notified law enforcement, and are continuing to cooperate with investigations.
Investigating the Full Impact
While the number of affected workstations has not been disclosed, a Treasury spokesperson confirmed that “several” user workstations were compromised. Due to the involvement of an Advanced Persistent Threat actor, the incident is considered a “major cybersecurity incident” under Treasury policy. As a result, Treasury officials are required to submit a supplemental report within 30 days to provide a full update.
The Treasury Department is working alongside CISA, the FBI, U.S. intelligence agencies, and third-party forensic investigators to assess the scope and impact of the breach. Hardikar confirmed that as soon as Treasury became aware of the attack, CISA and other governing bodies were immediately contacted to mitigate the threat.
Ongoing Security Measures
Though the full extent of the breach remains unclear, the U.S. Treasury is taking swift action to secure its systems and prevent further incidents. Lawmakers and officials are closely monitoring the situation as investigations continue.
With the involvement of a state-sponsored hacking group, this breach highlights the growing threat of cyberattacks targeting critical U.S. infrastructure.
