Treasury workstations hacked by China-linked threat actors
The Department of Treasury was notified earlier this month that several of its workstations were hacked by a group believed to be linked to China, the department confirmed to CyberScoop.
According to a letter sent Monday to leaders on the Senate Committee on Banking, Housing and Urban Affairs and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.
Treasury officials were notified by BeyondTrust on Dec. 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users,” the letter states.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” wrote Aditi Hardikar, Treasury’s assistant secretary for management.
In a statement sent to CyberScoop, a BeyondTrust spokesperson said the company first noticed anomalous activity on Dec. 2 and confirmed on Dec. 5 affecting a “limited” number of remote support SaaS customers. The company said it posted an advisory about the incident on Dec. 8, and the timeline indicates that all identified instances were patched as of of Dec. 16.
“No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts,” the statement said.
Hardikar wrote that the hacks are being classified as a “major incident” under the Federal Information Security and Modernization Act, and the department has been working with the Cybersecurity and Infrastructure Security Agency, the FBI, intelligence agencies, and third-party forensic investigators to scope out the full impact.
“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat actor,” Hardikar wrote.
In response to questions, a Treasury spokesperson said the threat actor was able to remotely access “several” Treasury user workstations as well as “certain unclassified documents” maintained by those users. The unnamed BeyondTrust service was taken offline and the department believes the actor no longer has access to Treasury systems or information.
News of the hacks was first reported by Barron’s and Agency France-Presse.
The incident comes as Washington policymakers are still reeling from a wide-ranging compromise of U.S. telecommunications infrastructure by Salt Typhoon, a hacking group linked to the Chinese government. Those compromises gave Beijing broad access to the phones and communications of high-ranking U.S. officials, including reportedly, incoming President-elect Donald Trump and Vice President-elect JD Vance.
This week, the White House said that while fewer than 100 individuals are believed to have been directly impacted by the Salt Typhoon intrusions, a larger group centered around Washington D.C. may have had their geolocation data stolen, something that could potentially allow Chinese intelligence agencies to identify the phones of additional targets.
