Chinese-sponsored hackers accessed Treasury documents in ‘major incident’

Chinese government-aligned hackers accessed Treasury Department workstations in a “major incident” that involved the compromise of a third-party provider, according to a letter reviewed by Nextgov/FCW and confirmed in a statement by Treasury on Friday.

The letter addressed to leaders on the Senate Banking Committee says that on Dec. 8 BeyondTrust, a provider of cloud security services, alerted Treasury to a breach where hackers had obtained a key used to secure a cloud-based service for remotely supporting Treasury Departmental Offices users. 

Using the stolen key, the attacker bypassed the service’s security, remotely accessed Treasury workstations and retrieved certain unclassified documents stored by those users.

“The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information,” the agency said in a statement.

“Treasury takes very seriously all threats against our systems, and the data it holds. Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” it adds.

Agence France-Presse, the French international news agency, first reported the hack. The letter says that, according to available indicators, “the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.” The specific hacking unit is not named.

APTs are a moniker used in the cybersecurity community to denote hacking collectives that operate with advanced technical capabilities, persistent attack strategies and often with the financial backing of nation-states. 

Treasury has been in contact with the intelligence community, the FBI and the Cybersecurity and Infrastructure Security Agency regarding the incident. CISA referred Nextgov/FCW to Treasury for comment, while the FBI did not immediately return requests for comment.

“BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts," a BeyondTrust spokesperson said in a statement to Nextgov/FCW.  "BeyondTrust posted information regarding the incident and the on-going investigation on its website on December 8, 2024, including a summary, timeline, and indicators. The security advisory has been updated since then as part of BeyondTrust’s commitment to updating customers through the completion of this matter.”

A Chinese embassy spokesperson vehemently denied the contents of the letter and said China firmly opposes U.S. “smear attacks” against China. “The U.S. needs to stop using cyber security to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats,” spokesperson Liu Pengyu said in a statement.

Pengyu added that, during a meeting between President Biden and President Xi Jinping in Peru at the APEC Summit last month, Xi said there’s “no evidence that supports the irrational claim of the so-called “‘cyberattacks from China.’” 

Biden raised the question of hacking to Xi following a sweeping China-tied intrusion in U.S. telecommunications systems that has unfolded over the past couple months and not fully been eradicated.

Those telecom hacks, from a group dubbed Salt Typhoon by cybersecurity researchers, have hit nine providers in the U.S. and dozens of others abroad, and have targeted key political figures in the D.C. beltway.

Editor's note: This article has been updated to include a statement from BeyondTrust.