China Hacked US Treasury, Accessing Government Documents

U.S. Treasury Department Targeted by Cyberattack

A cybersecurity incident impacted the U.S. Treasury Department earlier in December, as revealed in a letter to lawmakers on Monday. The department has formally attributed this attack to hacking groups associated with the Chinese government.

Details of the Breach

According to the letter, which was reviewed by TechCrunch, unauthorized access was gained to several Treasury employee workstations. This allowed the hackers access to unclassified documents, constituting what the department has characterized as a “major cybersecurity incident.”

The initial notification regarding the compromise came from BeyondTrust on December 8th. This company specializes in identity access and remote support technologies for large organizations, including government entities. They alerted the Treasury that a key used for providing remote technical support had been compromised.

BeyondTrust's Response

While BeyondTrust initially disclosed the incident, they did not specify how the key was obtained. A request for further comment from a BeyondTrust spokesperson went unanswered.

However, in a subsequent statement to TechCrunch, BeyondTrust’s Mike Bradshaw indicated that a “limited number of customers” were notified about systems accessed during the December 8th event, without specifically mentioning the Treasury Department.

Investigation and Current Status

The Treasury Department immediately engaged the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for assistance. As of December 30th, investigations have revealed no evidence of ongoing unauthorized access to Treasury information.

Attribution to China

The Treasury has confirmed that the breach is attributed to an advanced persistent threat group sponsored by the Chinese state. The specific group responsible for the intrusion remains unidentified, and a department spokesperson declined to provide further details.

Treasury spokesperson Michael Gwin stated that the attackers were able to access “several Treasury user workstations and certain unclassified documents” belonging to those users.

Strengthened Cybersecurity Measures

“Treasury takes all threats against our systems and data with the utmost seriousness,” Gwin added. “Over the past four years, we have significantly enhanced our cyber defenses and will continue collaborating with public and private sector partners to safeguard our financial system from malicious actors.”

Recent Cyberattacks Linked to China

This incident represents the latest in a series of cyberattacks linked to China targeting the U.S. government. The group known as Salt Typhoon has been implicated in previous attacks against U.S. telecommunications and internet companies, including AT&T and Verizon. The objective of these attacks was to intercept private communications of high-ranking U.S. officials, including those involved in the presidential election.

China's Denial

Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., refuted the U.S. government’s attribution of the cyberattack. He argued that the U.S. has not presented any supporting evidence for its claims.

This article has been updated to include comments from the Chinese government and BeyondTrust.

Do you possess additional information regarding the BeyondTrust cyberattack or the incident at the Treasury? Securely contact us via Signal and WhatsApp at +1 646-755-8849. Alternatively, you can submit files and documents through SecureDrop.