Officials suspect Chinese involvement
The US Treasury Department has disclosed a major cybersecurity breach, with officials pointing the finger at Chinese state-sponsored attackers.
In a letter [pdf] shared with the Chairman of the Committee on Banking, Housing, and Urban Affairs, the Treasury described the breach as a “major incident,” revealing that unauthorised actors accessed departmental workstations and unclassified files.
The breach was first discovered on 2nd December, stemming from the compromise of a remote support API key used by third-party software service provider, BeyondTrust.
BeyondTrust notified the Treasury that an API key for its Remote Support SaaS product had been stolen on 8th December.
The key, which allowed remote access to some Treasury systems, was revoked. However, the attackers potentially had several days to navigate affected systems undetected.
“With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter said.
While the extent of the data accessed remains under investigation, officials confirmed that the hackers primarily sought information, which is consistent with espionage activities.
Preliminary findings attribute the attack to a China-based state-sponsored APT group, a category of cyber adversaries known for sophisticated and prolonged hacking campaigns.
The Treasury Department is working with the FBI and other agencies to assess the full impact of the breach and mitigate any potential long-term consequences.
BeyondTrust, a provider of identity and access management solutions, confirmed the vulnerability in its platform and said all cloud instances had been patched by mid-December.
For self-hosted versions of its software, the company has issued advisories detailing specific vulnerabilities and corresponding fixes.
China denies involvement
China has denied any involvement in the attack, labelling the accusations as “baseless” and politically motivated.
The Chinese Foreign Ministry spokesperson, Mao Ning, reiterated China’s opposition to all forms of hacking and condemned the dissemination of “false information” targeting China.
This incident comes amid heightened tensions between the US and China over cyberattacks.
In recent months, two separate groups of suspected Chinese government hackers – Volt Typhoon and Salt Typhoon – have been identified for their involvement in critical infrastructure attacks and espionage operations, respectively.
The US government has repeatedly accused China of conducting malicious cyber activities, including targeting critical infrastructure and intellectual property.
China consistently rejects these claims, maintaining its innocence and accusing the US of engaging in cyber espionage itself.
Tom Hegel, a cybersecurity researcher at SentinelOne, noted that the latest incident aligns with tactics commonly employed by Chinese state-sponsored groups.
This “fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services – a method that has become increasingly prominent in recent years,” he said.
The Treasury Department has assured lawmakers that a comprehensive report on the incident will be provided within 30 days.
The investigation is ongoing, and further details are expected to emerge in the coming weeks.
