The U.S. Treasury informed lawmakers in a letter on Monday that it experienced a cyberattack earlier in December, which has been attributed to hackers affiliated with the Chinese government. The letter, which was shared with senior U.S. House lawmakers, revealed that the hackers managed to gain remote access to certain workstations of Treasury employees and accessed unclassified documents. The Treasury described this breach as a “major cybersecurity incident.”
According to the Treasury, they were alerted to the breach on December 8 by BeyondTrust, a company that provides identity access and remote support technology for large organizations and government departments. BeyondTrust informed the Treasury that hackers had “gained access to a key used by the vendor” to provide remote technical support to Treasury employees. Although BeyondTrust disclosed the incident at the time, they did not specify how the key was obtained. A spokesperson for BeyondTrust did not respond to a request for comment at the time of reporting.
The letter stated that the Treasury sought assistance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and, as of December 30, there was “no evidence indicating the threat actor has continued access to Treasury information.”
The Treasury confirmed in the letter that it attributed the breach to a China state-sponsored advanced persistent threat group, indicating backing from the Chinese government. However, it remains unclear which specific group was responsible for the intrusion, and a spokesperson declined to provide further details.
In a brief statement, Treasury spokesperson Michael Gwin explained that the hackers were able to “remotely access several Treasury user workstations and certain unclassified documents maintained by those users.”
Treasury takes very seriously all threats against our systems, and the data it holds. Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors.
Michael Gwin
This incident is the latest in a series of cyberattacks linked to China that have targeted the U.S. government in recent months. Chinese-backed hackers, known as Salt Tycoon, were previously implicated in a wave of cyberattacks targeting U.S. phone companies and internet giants, including AT&T and Verizon, with the aim of accessing the private communications of senior U.S. government officials, including presidential candidates.
Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., denied the U.S. government’s attribution of the cyberattack to the Chinese government, arguing that the United States did not present evidence to support its claims.
