The US Department of the Treasury has confirmed a major cybersecurity breach involving the exploitation of BeyondTrust, a third-party vendor providing remote support services to the Treasury Departmental Offices (DO). Hackers linked to the Chinese government infiltrated Treasury systems earlier this month, gaining unauthorised access to employee workstations and unclassified documents. Treasury officials disclosed the incident in a detailed letter, describing it as a “major incident” under federal cybersecurity regulations.
The breach was initiated through the compromise of BeyondTrust’s cloud-based service, which the Treasury uses for technical support. The attackers reportedly obtained a critical security key, allowing them to override safeguards and remotely access the systems of the department. Using the stolen key, the attackers bypassed security controls, enabling them to remotely access certain Treasury workstations and retrieve unclassified documents stored by users.
The Treasury was first alerted to the breach on 8 December, when BeyondTrust informed officials of the incident. BeyondTrust has not disclosed how the key was obtained but confirmed the affected services have been taken offline.
Upon learning of the breach, the Treasury immediately enlisted the support of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other intelligence bodies. Preliminary analysis attributed the attack to a Chinese state-sponsored Advanced Persistent Threat (APT) group, known for its sophisticated cyber operations targeting government and private sector systems globally.
While the specific APT group remains unnamed, the attribution aligns with a broader pattern of Chinese cyber espionage targeting US institutions. Treasury officials stated that as of 30 December, there is no evidence the hackers retain ongoing access to department systems.
In the letter, the Treasury highlighted its investment in robust cybersecurity protocols under the Cybersecurity Enhancement Account (CEA), which facilitated incident detection and response efforts. “Treasury takes very seriously all threats against our systems, and the data it holds, emphasised Treasury spokesperson Michael Gwin. He added: “Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors.”
The breach has been classified as a “major cybersecurity incident” under the Federal Information Security Modernization Act (FISMA). In compliance with federal guidelines, the Treasury will provide Congress with a comprehensive 30-day supplemental report on the incident.
The Chinese Embassy in Washington DC has denied allegations of involvement in the Treasury breach. A spokesperson for the embassy reportedly stated that the US government had not provided evidence to substantiate its claims, rejecting the attribution to Chinese actors.
Broader pattern of Chinese cyber operations
The Treasury breach comes amid a series of cyberattacks attributed to Chinese state-backed actors targeting US infrastructure. Earlier this year, a group identified as Salt Typhoon was linked to breaches at several major US telecommunications firms, including Verizon and AT&T.
These attacks reportedly aimed to intercept sensitive communications of senior US government officials and presidential candidates. Hackers are believed to have exploited their access to collect text messages, voicemails, and wiretap data from law enforcement investigations.
In light of the breach, US cybersecurity officials are urging the adoption of end-to-end encrypted communication tools, such as Signal, for senior government officials. These measures are part of broader efforts to mitigate risks from state-sponsored cyber threats.
Read more: CISA urges US government agencies to ditch unencrypted telecommunication platforms amid Chinese cyber threat
