Washington: A Chinese state-sponsored hacking group infiltrated the US Treasury Department’s systems in early December, accessing employee workstations and certain unclassified documents, officials confirmed in a letter to lawmakers.
The breach has been classified as a “major incident” by the Treasury, which is collaborating with the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and third-party forensic investigators to assess the impact.
The intrusion was facilitated through BeyondTrust, a third-party service provider offering remote technical support. Hackers exploited a security key to bypass safeguards, gaining remote access to several user workstations.
Suspicious activity was first detected on December 2, and BeyondTrust confirmed the breach three days later. Treasury officials were notified on December 8.
The compromised service has since been taken offline, and investigators have found no evidence of continued access to Treasury systems.
However, it is believed that during the three-day window, hackers may have created accounts or altered passwords. Officials noted the attack was likely focused on gathering intelligence rather than financial theft.
Details on the confidentiality of accessed files or the hierarchy of compromised systems remain undisclosed. Treasury officials stressed that intrusions linked to Advanced Persistent Threat (APT) actors, such as the China-based group involved in this case, are treated as severe cybersecurity incidents.
China’s embassy in Washington dismissed the claims as unfounded. Embassy spokesman Liu Pengyu argued that attributing cyberattacks is complex and called on the US to provide evidence rather than make speculative accusations. “The US needs to stop using cybersecurity to smear and slander China,” he added.
The incident comes amid heightened concerns over Chinese cyber espionage. Last year, similar accusations were made regarding a hack of telecom companies that potentially exposed phone records across the US.
Treasury officials promised lawmakers a supplemental report on the recent breach within 30 days, emphasizing their commitment to safeguarding sensitive data.