According to the U.S. Treasury Department, Chinese state-sponsored hackers breached the U.S. Treasury Department’s “computer security guardrails” early December 2024 and stole documents in what the Treasury called a ‘major incident’. The security breach was the subject of a letter to lawmakers, that Treasury officials provided to Reuters on Monday. The Treasury Department is consulting with the FBI and U.S. Cybersecurity and Infrastructure Security Agency concerning the security breach.
Third-party cybersecurity service provider BeyondTrust alerted the U.S. Treasury Department that hackers compromised BeyondTrust, a third-party cybersecurity service provider and accessed unclassified documents on Dec. 8:
According to the letter, hackers ‘gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.’
A spokesperson for the Chinese Embassy in Washington denies direct involvement in the incident and rejected any responsibility for the hack, “saying that Beijing ‘firmly opposes the U.S.’s smear attacks against China without any factual basis.'”
One security expert described the People’s Republic of China trend of abusing trusted third-party services for achieving its goals:
Tom Hegel, a threat researcher at cybersecurity company SentinelOne (S.N), said the reported security incident ‘fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services – a method that has become increasingly prominent in recent years,’ he said, using an acronym for the People’s Republic of China.