China-backed hackers breached US Treasury Department workstations

CNN
—

The US Treasury Department notified lawmakers on Monday that a Chinese state-sponsored actor infiltrated Treasury workstations in what officials described as a “major incident.”

In a letter reviewed by CNN, a Treasury secretary said it was informed by a third-party software provider on Dec. 8 that a threat actor used a stolen key to remotely access certain Treasury workstations and unclassified documents.

“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the US Treasury Department, wrote in the letter.

A Treasury Department spokesman said in a statement to CNN that the compromised service has been taken offline and officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).

“There is no evidence to indicate that the threat actor has continued access to Treasury systems or information,” the Treasury spokesman said.

Treasury officials plan to hold a classified briefing on the breach next week with House Financial Services Committee staff, a senior committee official told CNN. The exact time of the briefing has not yet been scheduled.

According to the letter to Senate Banking Committee leadership, third-party software service provider BeyondTrust said hackers gained access to a key used by the vendor to secure a cloud-based service Treasury uses for technical support.

“With access to the stolen key, the threat actor was able to override the security of the service, remotely access certain Treasury (Departmental Office) user workstations and gain access to certain unclassified documents maintained by those users,” the Treasury Department letter said.

BeyondTrust did not immediately respond to a request for comment.

It is not clear exactly how many workstations were infiltrated. But the Treasury spokesman said in the statement that “several” Treasury user workstations were accessed.

Hardikar said in the letter that based on Treasury Department policy, intrusions attributed to advanced persistent threat actors are considered a “major cybersecurity incident.” Treasury officials are required to provide an update in a 30-day supplemental report.

It is not clear whether the Treasury Department has fully determined the extent of the damage caused by the breach.

Hardikar wrote in the letter that in an effort to “fully characterize the incident and determine its overall impact,” the Treasury Department has been working with CISA, the FBI, US intelligence agencies and third-party forensic investigators.

“CISA was engaged immediately upon Treasury’s knowledge of the attack and the remaining governing bodies were contacted as soon as the scope of the attack became apparent,” the letter said.

This is a developing story and will be updated.