Hackers from China Breached U.S. Treasury’s Documents in Significant Incident
On December 30 (Reuters) – The U.S. Treasury Department reported that state-sponsored hackers from China infiltrated its computer security this month, resulting in the theft of documents. This was characterized as a “major incident” in a letter sent to lawmakers and shared with Reuters on Monday.
The breach involved a cybersecurity service provider called BeyondTrust, which was compromised, allowing hackers to access unclassified documents, as stated in the letter.
The report detailed that the attackers managed to obtain a security key used by the vendor to secure a cloud service that provided remote support for the Treasury Department’s offices. With this key, they were able to bypass the service’s security measures and remotely access workstations of Treasury users, accessing some unclassified documents stored there.
The Treasury Department was informed about the breach by BeyondTrust on December 8 and is collaborating with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to understand the full consequences of the hack.
Reuters did not receive an immediate response from the FBI regarding the situation. Meanwhile, CISA directed inquiries back to the Treasury Department. A representative from the Chinese Embassy in Washington denied any involvement in the attack, asserting that Beijing “firmly opposes the U.S.’s unfounded accusations against China.”
BeyondTrust, located in Johns Creek, Georgia, did not reply promptly to requests for comments. However, their website acknowledged a recent security incident affecting a limited number of customers using their remote support software. They confirmed that a digital key had been compromised and that they are conducting an investigation.
Tom Hegel, a threat researcher with cybersecurity firm SentinelOne, noted that the incident outlined by BeyondTrust closely resembles that at the Treasury. However, he indicated that BeyondTrust itself would need to affirm any potential link.
“This incident matches a well-known pattern of behavior associated with groups linked to the People’s Republic of China, focusing particularly on exploiting trusted third-party services — a tactic that has become increasingly common recently,” he observed.