By Raphael Satter and AJ Vicens
WASHINGTON (Reuters) – State-sponsored Chinese hackers breached the U.S. Treasury Department’s computer security barriers this month and stole documents in what the Treasury called a “major incident,” according to a letter to lawmakers that officials Treasury officials provided to Reuters on Monday.
The hackers compromised third-party cybersecurity services provider BeyondTrust and were able to access unclassified documents, according to the letter.
According to the letter, the hackers “gained access to a key used by the vendor to protect a cloud-based service used to remotely provide technical support to end users at the Treasury Departmental Offices (DO). With access to the stolen key, the threat actor was able to override the security of the service, remotely access certain workstations of Treasury DO users, and access certain unclassified documents maintained by those users.”
The Treasury Department said BeyondTrust alerted it to the breach on Dec. 8 and that it was working with the U.S. Cybersecurity and Infrastructure Security Agency and the FBI to assess the impact of the attack.
Treasury officials did not immediately respond to an email seeking more details about the attack. The FBI did not immediately respond to Reuters requests for comment, while CISA referred questions to the Treasury Department.
A spokesman for the Chinese embassy in Washington rejected any responsibility for the attack and said Beijing “firmly opposes the United States’ defamatory attacks against China without any factual basis.”
A spokesperson for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company “previously identified and took action to address a security incident in early December 2024” involving its remote support product. . BeyondTrust “notified the limited number of customers involved” and authorities were notified, the spokesperson said. “BeyondTrust has been supporting research efforts.”
The spokesperson referred to a statement posted on the company’s website on December 8 that shared some details of the investigation, including that a digital key had been compromised in the incident and that an investigation was underway. . That statement was last updated on December 18.
Tom Hegel, threat researcher at a cybersecurity company sentinelone (NYSE:), said the reported security incident “fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on the abuse of trusted third-party services, a method that has become increasingly prominent in recent years,” he said. he said, using an acronym for People’s Republic of China.”