Chinese state-sponsored hackers infiltrated the US Treasury Department’s systems earlier this month, gaining access to employee workstations and some unclassified documents, US officials confirmed on Monday. The breach, described by the Treasury Department as a “major incident,” has prompted an ongoing investigation by the FBI and other agencies.
In a letter to lawmakers, the Treasury Department explained that the hackers, believed to be based in China, bypassed security systems through a vulnerability in a third-party service provider’s application. The compromised service, BeyondTrust, offers remote technical support to Treasury employees. While the third-party service has been taken offline, the department emphasized that no further unauthorized access has been detected.
The breach was first identified by BeyondTrust on December 8, although suspicious activity had been flagged as early as December 2. It took several days for the company to confirm that it had been hacked. The hackers reportedly used the service to remotely access several Treasury user workstations, obtaining some unclassified documents, but there were no indications of an attempt to steal funds.
The Treasury Department is working closely with the Cybersecurity and Infrastructure Security Agency (CISA) and third-party forensic investigators to assess the full impact of the breach. Initial reports suggest that the intrusion was likely carried out by a “China-based Advanced Persistent Threat (APT) actor,” a group of hackers associated with espionage activities.
“This intrusion is being treated as a major cybersecurity incident, in accordance with Treasury policy,” said Treasury Department officials. They added that investigations are still underway to determine the scope of the compromise, including the specific nature of the files accessed and whether any additional accounts or passwords were created or altered by the attackers.
China has strongly denied the allegations, with foreign ministry spokesperson Mao Ning labeling the claims “baseless.” She reiterated China’s stance against hacking and rejected what she described as “false information” aimed at targeting China for political purposes. The Chinese embassy in Washington DC also dismissed the accusations as part of a “smear attack,” urging the US to stop spreading disinformation about Chinese hacking threats.
The breach follows a series of high-profile cyberattacks attributed to Chinese espionage, including a December hack that potentially compromised sensitive telecom data in the US. The Treasury Department has pledged to continue strengthening its cybersecurity measures and will provide a supplemental report on the incident to lawmakers within 30 days.