U.S. Treasury Hit by Cyberattack Linked To Chinese State-Sponsored Group

The U.S. Department of the Treasury has confirmed that it experienced a significant cybersecurity breach on December 8, 2024, in which a state-sponsored Chinese cyber actor gained unauthorized access to its systems.

The breach was linked to a third-party software provider, BeyondTrust, which had been providing remote technical support services for Treasury’s Departmental Offices (DO) end users.

In a letter to lawmakers, the Treasury Department detailed the incident and outlined the steps taken in response. The breach occurred when the threat actor accessed a key used by BeyondTrust to secure a cloud-based service.

With this key, the attacker bypassed security measures, remotely infiltrated Treasury workstations, and accessed unclassified documents stored on the affected systems.

Upon discovering the breach, the Treasury immediately notified the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Intelligence Community.

Third-party forensic investigators were also brought in to assess the situation and determine the full scope of the attack. According to the Treasury, available evidence links the incident to a Chinese state-sponsored Advanced Persistent Threat (APT) group.

CNN notes that the exact number of infiltrated workstations remains unclear. However, a Treasury spokesperson confirmed that “several” Treasury user workstations were accessed.It is also uncertain whether Treasury has fully assessed the extent of the damage caused by the breach.

Tom Hegel, a threat researcher at cybersecurity firm SentinelOne, noted to Reuters that the reported security incident aligns with a known pattern of behavior by PRC-affiliated groups, particularly their increasing reliance on trusted third-party services, a tactic that has become more prevalent in recent years.

The compromised service has since been taken offline, and at present, there is no indication that the threat actor has retained access to Treasury information, according to the letter.

In response to the breach, Treasury officials have praised investments made under the Cybersecurity Enhancement Account (CEA), which provided essential tools for monitoring and responding to the attack.

As per the Federal Information Security Modernization Act (FISMA), the Treasury has designated this incident as a major cybersecurity event.

The Washington Post remarks that the breach follows a series of high-profile cyber attacks attributed to China.

Earlier this year, the Chinese hacking group known as Salt Typhoon infiltrated over a dozen U.S. telecommunications firms, enabling them to intercept phone calls and text messages, including those of President-elect Donald Trump and Vice President-elect JD Vance.