US Treasury Department hacked by Chinese State-Sponsored Hackers: A Major Cybersecurity Incident

It is Confirmed US Treasury Department hacked, a significant cybersecurity breach attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor. The intrusion, first identified on December 8, 2024, involved unauthorized access to Treasury workstations and unclassified documents through a third-party software provider.

Details of the Cybersecurity Breach

In a letter obtained by CNN, Assistant Secretary for Management Aditi Hardikar disclosed that hackers exploited a stolen key to bypass security protocols and remotely access specific Treasury workstations. The breach was facilitated through BeyondTrust, a third-party cloud-based service used for technical support.

The attack, which BeyondTrust traced back to December 2, involved “anomalous behavior” within its Remote Support product. After confirming the activity, BeyondTrust notified affected customers on December 5 and publicly disclosed the incident three days later.

The Treasury spokesperson assured the public that the compromised service has been taken offline and stated:

“There is no evidence indicating the threat actor has continued access to Treasury systems or information.”

Response and Investigation

The Treasury Department is collaborating with multiple agencies, including:

• The Cybersecurity and Infrastructure Security Agency (CISA)
• The FBI
• U.S. Intelligence agencies
• Third-party forensic investigators

Law enforcement has been notified, and BeyondTrust has hired an external cybersecurity firm to investigate the root cause and implement measures to prevent future breaches.

In line with Treasury policy, such intrusions are classified as “major cybersecurity incidents,” triggering mandatory updates to lawmakers. Treasury plans to provide a supplemental report within 30 days and will hold a classified briefing for the House Financial Services Committee in the coming week.

Extent of the Damage

The exact number of compromised workstations and the full extent of the damage remain unclear. However, the attackers reportedly accessed unclassified documents and Treasury Departmental Office workstations. The stolen key allowed the threat actors to override the service’s security measures.

BeyondTrust’s Response

BeyondTrust has suspended and quarantined the affected instances of its product while investigating the breach. A spokesperson for the company emphasized that no other products were involved in the attack and affirmed the company’s commitment to supporting investigative efforts.

“Law enforcement was notified, and BeyondTrust has been supporting the investigative efforts,” the company said in a statement.

Major Cybersecurity Incident

This breach underscores the persistent threat posed by advanced state-sponsored cyber actors. Hardikar noted in her letter that such incidents are a stark reminder of the vulnerabilities in third-party software services and the potential impact on national security infrastructure.

Next Steps

While the Treasury Department works to fully assess the damage, the incident has already triggered increased scrutiny on cybersecurity measures, especially concerning third-party vendors. Future updates are expected as investigations continue and policymakers analyze the breach’s implications.

This incident adds to growing concerns over the cybersecurity landscape and emphasizes the need for robust defenses against sophisticated, state-sponsored cyberattacks.