In a significant cybersecurity breach earlier this month, Chinese state-backed hackers infiltrated the U.S. Treasury Department’s systems, stealing unclassified documents. This breach, described by Treasury officials as a “major incident,” was revealed in a letter sent to lawmakers, which was later obtained by Reuters.
Exploiting a Third-Party Security Provider
The hackers gained access by exploiting a vulnerability in BeyondTrust, a third-party cybersecurity provider that handles cloud-based technical support services for the Treasury Department. Using a compromised digital key, the attackers bypassed security measures, remotely accessing Treasury Department workstations and retrieving unclassified documents.
The incident has been attributed to a Chinese state-sponsored cyber group, a threat often referred to as an Advanced Persistent Threat (APT) actor. This breach is especially concerning, given the Treasury Department’s role in monitoring global financial systems and its recent involvement in imposing U.S. sanctions on China.
Breach Detected and Response Initiated
BeyondTrust first detected suspicious activity on December 2. However, it took three days for the company to confirm a breach had occurred. Once identified, the company notified the Treasury Department on December 8. In response, the Treasury worked closely with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to assess the impact of the breach.
While Treasury officials have not provided further details about the breach, investigations are ongoing to determine the full extent of the compromise.
China Denies Responsibility
In the wake of the allegations, China strongly denied any involvement in the breach. Mao Ning, a spokesperson for China’s foreign ministry, reiterated Beijing’s stance against all forms of cyberattacks. The Chinese Embassy in Washington dismissed the claims as “baseless,” accusing the U.S. of using cybersecurity as a tool to smear China.
“The U.S. needs to stop using cybersecurity to slander China,” said Liu Pengyu, a spokesperson for the Chinese embassy. “These accusations are without any factual basis.”
BeyondTrust’s Statement and Action
BeyondTrust, based in Johns Creek, Georgia, confirmed the breach and provided a statement detailing its response. The company explained that the compromised digital key was central to the attack. Though the breach affected only a limited number of customers, BeyondTrust assured that it had taken corrective measures and was supporting ongoing investigations.
The company’s public statement, initially released on December 8, was updated with additional details on December 18 as the investigation continued.
Part of a Larger Cybersecurity Trend
Cybersecurity experts have noted that this breach is consistent with tactics often used by China-linked groups. Tom Hegel, a threat researcher at SentinelOne, explained that this attack follows a well-established pattern of exploiting trusted third-party services. This strategy has become increasingly common in recent years, highlighting vulnerabilities in interconnected systems.
This incident is just one in a growing list of cyberattacks attributed to Chinese hacking groups. In December, another high-profile attack targeted U.S. telecom companies, potentially exposing phone record data across a wide swath of the population.
The U.S. has attributed these attacks to two Chinese-linked groups: Volt Typhoon and Salt Typhoon. Volt Typhoon is accused of targeting critical infrastructure for potential disruption, while Salt Typhoon has been linked to espionage activities, including the telecom breach.