US Treasury Workstations Hacked By China In ‘Major Incident’

Matthew Broersma,
Linkedin
Image credit: US Treasury Department

US Treasury says workstations accessed by China-backed attackers and files accessed after compromise of third-party security provider

Getting your Trinity Audio player ready...

The US Treasury Department has notified lawmakers that a China state-sponsored attack group infiltrated workstations at the department this month and stole files in what it described as a “major incident”.

The hackers compromised a third-party cybersecurity service provided by BeyondTrust and gained access to unclassified documents, according to a letter sent by the Treasury.

The attackers gained access to a key used by the vendor to secure a cloud-based service that provides technical support for end users at Treasury departmental offices, the department said.

With access to the stolen key, the threat actor was able to override the service’s security, remotely access some workstations and access unclassified documents maintained by those users, the letter said.

Code displayed on a screen. Coding, hacking, open source, development, security.
Image credit: Unsplash

Third-party tool

The department said it was alerted to the breach by BeyondTrust on 8 December and that it was working with the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the impact of the attack.

“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” said US Treasury assistant secretary for management Aditi Hardikar in the letter.

The compromised service has been taken offline, the Treasury said in a separate statement.

“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the department stated.

Treasury officials are reportedly planning a classified briefing about the breach next week with staff members of the House Financial Services Committee.

A Treasury spokesperson said “several” workstations were breached, but did not provide a more precise indication of how many.

‘Major incident’

Hardikar said in the letter that intrusions attributed to advanced persistent threat actors are designated as a “major cybersecurity incident”, with Treasury officials required to provide an update in a 30-day supplemental report.

In an effort to “fully characterise the incident and determine its overall impact” the Treasury has been working with CISA, the FBI, US intelligence agencies and third-party forensic investigators, Hardikar said.

CISA was engaged “immediately” upon Treasury’s knowledge of the attack and the remaining governing bodies were contacted as soon as the scope of the attack became evident, the letter said.

The Chinese embassy in Washington, DC told Reuters the country rejected responsibility for the attack and that it opposes US “smear attacks against China without any factual basis”.