Chinese hackers seized documents in a “major incident,” according to the US Treasury

In a letter to legislators, the U.S. Treasury Department described the month-long breach of its computer security guardrails by Chinese state-sponsored hackers as a “major incident,” and Treasury officials gave Reuters a new tab on the matter on Monday.

According to the letter, the hackers gained access to unclassified material by breaching the third-party cybersecurity service provider BeyondTrust.

The vendor’s key for securing a cloud-based service that remotely provides technical support for Treasury Departmental Offices (DO) end users was compromised by hackers, the letter claims. The threat actor was able to remotely access some Treasury DO user workstations, circumvent the security measures imposed by the service, and gain access to some of the users’ unclassified documents by using the stolen key.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” added the letter.
Following BeyondTrust’s December 8 notification of the breach, the Treasury Department announced it was collaborating with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the impact of the incident.

A request for more information regarding the hack was not immediately answered by Treasury authorities. When Reuters reached out to the FBI for comment, the agency did not immediately reply, and CISA sent inquiries to the Treasury Department.

China’s foreign ministry spokesperson, Mao Ning, stated at a routine press conference on Tuesday that “China has always opposed all forms of hacker attacks.”

When asked who was responsible for the hack, a representative for the Chinese Embassy in Washington stated that Beijing “firmly opposes the U.S.’s smear attacks against China without any factual basis.”

The Johns Creek, Georgia-based BeyondTrust “previously identified and took measures to address a security incident in early December 2024” affecting its remote assistance product, a spokesman for the business told Reuters in an email. In addition to law enforcement, BeyondTrust “notified the limited number of customers who were involved,” the representative stated. “BeyondTrust has been supporting the investigative efforts.”

The spokesman said a statement that was made on the business’s website and that a new tab was opened on December 8th, giving some information from the inquiry. This included the fact that an investigation was underway and that a digital key had been compromised in the event. It was last updated on December 18.

According to Tom Hegel, a threat researcher at SentinelOne (S.N.), a cybersecurity firm that opens a new tab, the reported security incident “fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services – a method that has become increasingly prominent in recent years,” to use an acronym for the People’s Republic of China.