The US Treasury Department has confirmed it was targeted by a significant cyberattack earlier this month, believed to be carried out by state-sponsored hackers from China. The breach, described by US officials as a “major incident,” involved the infiltration of Treasury systems, allowing attackers to access employee workstations and some unclassified documents. This latest breach comes amid growing concerns over cybersecurity threats linked to China.
In a letter to lawmakers, the Treasury Department disclosed the breach and revealed it had been working with the FBI and other agencies to assess the impact. While China has denied involvement, labeling the accusations “baseless,” this cyberattack marks the latest in a series of high-profile hacks allegedly originating from China.
According to Treasury officials, the hackers exploited a vulnerability in a third-party service provider, BeyondTrust, which had been providing remote technical support for the department. This allowed the cybercriminals to bypass security and gain unauthorized access to systems. After the breach was detected, BeyondTrust was taken offline, and there was no evidence that the attackers maintained access to Treasury systems after the initial intrusion.
The Treasury Department is continuing to investigate the scope of the attack with the help of forensic experts and the Cybersecurity and Infrastructure Security Agency (CISA). Initial findings suggest that the attack was carried out by a “China-based Advanced Persistent Threat (APT) actor.” The department has classified the breach as a major cybersecurity incident under its internal policies due to its severity and the potential access to sensitive information.
The breach was discovered on December 8, after BeyondTrust alerted the Treasury Department to suspicious activity. According to BeyondTrust, the malicious activity was first identified on December 2, but it took three days for the company to confirm the breach. The attackers were able to remotely access several Treasury workstations and some unclassified documents. The department has not disclosed the exact nature or sensitivity of the documents, nor how long the hackers had access before the intrusion was contained.
Officials believe the attackers were primarily seeking intelligence, rather than attempting to steal funds. As part of their espionage activities, the hackers may have attempted to create new accounts or change passwords during the three days they were under surveillance by BeyondTrust. The Treasury Department has promised to provide a supplemental report to lawmakers within 30 days to offer further details on the incident.
In response to the allegations, China’s foreign ministry spokeswoman, Mao Ning, vehemently denied the accusations, calling them “baseless” and asserting that China opposes all forms of hacking. She further accused the US of using cybersecurity issues as a political tool to smear China, a sentiment echoed by a spokesman for the Chinese embassy in Washington, DC.
This breach follows a pattern of increasing cyberattacks attributed to Chinese state-sponsored hackers, including the Volt Typhoon and Salt Typhoon groups. Volt Typhoon has been linked to attempts to compromise critical infrastructure, while Salt Typhoon is believed to have engaged in espionage, including the telecom hack earlier this month. Despite these ongoing incidents, the US has not provided direct evidence linking China to the Treasury hack, leaving the issue contentious and unresolved.
As tensions continue to rise over cyber espionage and the growing influence of Chinese hackers, the US government faces significant challenges in safeguarding its systems and countering external threats. The Treasury breach highlights the ongoing vulnerability of sensitive government agencies and the need for stronger cybersecurity measures to protect national interests in an increasingly digital world.
