A Chinese state-sponsored hacker has successfully breached the US Treasury Department’s systems, gaining access to employee workstations and unclassified documents, American officials revealed on Monday.
The intrusion occurred in early December and was disclosed in a letter from the Treasury Department to lawmakers, notifying them of the incident.
The Treasury Department has classified this breach as a “major incident” and is collaborating with the FBI and other agencies to investigate its full impact.
However, a spokesperson for the Chinese embassy in Washington DC dismissed the accusation, calling it a “smear attack” made “without any factual basis.”
According to the Treasury’s letter, the China-based actor overruled security measures by exploiting a key used by BeyondTrust, a third-party service provider offering remote technical support to Treasury employees.
BeyondTrust Vulnerabilities
BeyondTrust has disclosed severe security vulnerabilities (CVE-2024-12356 & CVE-2024-12686) in its Privileged Remote Access (PRA) and Remote Support (RS) products that could allow attackers to execute unauthorized system commands.
The compromised BeyondTrust service has since been taken offline, and officials stated that no evidence suggests the hacker has maintained access to Treasury Department information.
The department was alerted to the breach on December 8 by BeyondTrust. The company reported that suspicious activity was first detected on December 2, but it took three days to confirm the hack.
The intruder was able to remotely access several Treasury user workstations and certain unclassified documents stored by those users.
While the exact nature of the accessed files and the hack’s duration remains undisclosed, the department emphasized that the compromised systems contained unclassified information.
The level of confidentiality of the affected computer systems was not specified, leaving questions about the potential value of the accessed data.
The hackers believed to be espionage agents, were likely seeking information rather than attempting to steal funds. During the three-day window between detection and confirmation, they may have had the opportunity to create accounts or alter passwords.
Treasury officials have characterized the attack as originating from a “China-based Advanced Persistent Threat (APT) actor.” The department’s policy considers intrusions attributable to an APT as major cybersecurity incidents.
In response to the breach, a Treasury spokesperson emphasized the department’s commitment to protecting its systems and data from external threats. A supplemental report providing more details on the incident is expected to be submitted to lawmakers within 30 days.
Chinese embassy spokesman Liu Pengyu refuted the Treasury’s claims, stating that it can be challenging to trace the origin of hackers. He called for a “professional and responsible attitude” when characterizing cyber incidents and urged the US to “stop using cybersecurity to smear and slander China.”
This breach is the latest in high-profile US cybersecurity incidents attributed to Chinese espionage hackers. It follows another recent hack of telecommunications companies in December, potentially compromising phone record data across a broad spectrum of American society.
The Treasury Department hack underscores the ongoing challenges faced by government agencies in safeguarding sensitive information against sophisticated state-sponsored cyber threats.
As investigations continue, the incident is likely to fuel further discussions on cybersecurity measures and international relations between the United States and China.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free