The U.S. Treasury revealed in a letter to lawmakers on Monday that it suffered a cyberattack in December, which has been attributed to Chinese government-linked hackers.
According to the letter, which TechCrunch reviewed, the hackers remotely accessed certain employee workstations and unclassified documents in what the Treasury described as a “major cybersecurity incident.” The breach was discovered on December 8 when BeyondTrust, a company offering identity access and remote support tools, alerted the Treasury that hackers had compromised a key used for providing remote technical support to its employees
BeyondTrust confirmed notifying a limited number of affected customers but did not specify how the key was obtained. The company did not name the Treasury in its disclosures.
The Treasury sought assistance from the Cybersecurity and Infrastructure Security Agency (CISA) and reported that, as of December 30, there was no evidence of ongoing unauthorized access. The department attributed the breach to a state-sponsored Chinese advanced persistent threat group but did not identify the specific group involved.
Treasury spokesperson Michael Gwin stated that the hackers accessed several user workstations and unclassified documents but emphasized the department’s commitment to bolstering its cybersecurity defenses. The spokesperson highlighted significant improvements in Treasury’s cyber defenses over the past four years and its continued collaboration with public and private partners to protect against threats.
This breach follows a series of cyberattacks attributed to China, including operations by a group known as Salt Tycoon targeting U.S. telecommunications companies and internet service providers to access senior officials’ private communications. In response, Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, denied the U.S. government’s claims, arguing that no evidence was presented to support the attribution.