The U.S. Treasury asserts that Chinese cybercriminals pilfered documents in a "major incident."
Cybercriminals backed by the Chinese government infiltrated the U.S. Department of the Treasury's digital security protocols this month and illicitly obtained documents in what the Treasury described as a "major incident," according to a communication to legislators that Treasury representatives furnished to Reuters on Monday.
The perpetrators gained unauthorized access to BeyondTrust, a third-party cybersecurity service provider, and were successful in acquiring unclassified documents, the communication stated.
As per the communication, the perpetrators "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."
"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor," the communication conveyed.
The Department of the Treasury indicated it was informed of the intrusion by BeyondTrust on December 8 and that it is collaborating with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to evaluate the ramifications of the cyberattack.
Treasury representatives did not promptly acknowledge an electronic mail seeking supplementary specifics concerning the intrusion. The FBI did not immediately respond to Reuters' requests for comment, while CISA redirected queries back to the Department of the Treasury.
"China has always opposed all forms of hacker attacks," Mao Ning, a representative for China's foreign ministry, conveyed at a scheduled news briefing on Tuesday.
A representative for the Chinese Embassy in Washington denied any accountability for the cyberattack, stating that Beijing "firmly opposes the U.S.'s smear attacks against China without any factual basis."
A representative for BeyondTrust, located in Johns Creek, Georgia, informed Reuters via electronic mail that the company "previously identified and took measures to address a security incident in early December 2024" involving its remote assistance offering. BeyondTrust "notified the limited number of customers who were involved," and law enforcement was informed, the representative articulated. "BeyondTrust has been supporting the investigative efforts."
The representative referenced a declaration published on the company's internet site on December 8 sharing particular specifics from the investigation, encompassing that a digital key had been compromised in the occurrence and that an inquiry was underway. That declaration was last updated on December 18.
Tom Hegel, a threat investigator at the cybersecurity firm SentinelOne, stated that the reported security occurrence "fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services - a method that has become increasingly prominent in recent years," he articulated, employing an acronym for the People's Republic of China.