The US Treasury Department has now officially confirmed that it had suffered a significant cybersecurity breach earlier this month, one that has been attributed to a Chinese state-sponsored hacking group. The breach, which was first disclosed in a letter to lawmakers on December 29, enabled the attackers to remotely access sensitive workstations and unclassified documents through a third-party service provider, BeyondTrust, which manages remote technical support services for government agencies.
BeyondTrust had informed the Treasury Department that hackers had compromised a key used to secure its cloud-based service (which has since been revoked, and BeyondTrust suspended the impacted instances of its service). This service is used by the Treasury to allow technical support staff to remotely access and troubleshoot workstations of departmental employees. With the stolen key, the attackers were able to gain unauthorized access to certain workstations.
While BeyondTrust has not disclosed the exact number of customers impacted by the breach, it stated that only a “limited number” of clients, including U.S. government agencies, were affected. In response, the Treasury Department immediately began working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other investigative bodies to assess the impact of the breach. According to the department, the compromised service has since been taken offline, and there is no evidence suggesting that the hackers maintained access to Treasury systems or data following the breach.
“In accordance with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) and criteria provided in Office of Management and Budget (OMB) Memorandum 24-04, this letter provides notice that the Department of the Treasury (Treasury) has determined that a major incident occurred. On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the Department said in an official statement.
The U.S. government has attributed the attack to a Chinese state-sponsored group, described as an Advanced Persistent Threat (APT) actor. APT groups are typically well-resourced, highly skilled hacker organizations that are often employed by nation-states for long-term, targeted attacks aimed at stealing sensitive information or disrupting government and corporate operations. This adds to a long list of escalating cyberattacks linked to Chinese state-sponsored groups.
Just days ago, a separate Chinese-backed group, “Salt Typhoon,” targeted major telecom companies in the US, compromising sensitive communications and data. Later, AT&T and Verizon – two of the biggest names in the telecommunications landscape and two of the victims of the cyberattack – confirmed that their networks have been cleared.
