A recent disclosure to Congress revealed that the US Treasury Department experienced a significant cyber breach attributed to a state-sponsored actor from China. This incident, which occurred earlier this month, allowed hackers to remotely access some computers within the Treasury, specifically targeting “certain unclassified documents.”
The hackers exploited vulnerabilities in remote tech support software from BeyondTrust, stealing an authentication key to gain unauthorized access. Treasury officials confirmed that BeyondTrust notified them of the incident on December 8, detailing how the attackers bypassed system defenses. In a statement, Aditi Hardikar, assistant secretary for management at the Treasury, characterized the incident as major, given its attribution to an Advanced Persistent Threat (APT) actor.
Following the discovery, the compromised BeyondTrust service was offline, and Treasury officials indicated no continued access by the attackers was detected. The Treasury has since collaborated with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the extent of the breach. However, both Treasury and the FBI have not provided further details on the matter.
BeyondTrust had previously issued alerts about a security incident involving a limited number of its clients, although it did not specifically name the Treasury as affected. The nature of the vulnerabilities exploited included critical command injection flaws, which are known to be easily identifiable yet were still present in products designed for secure remote access.
The timing of this breach coincides with ongoing cyber espionage efforts connected to a hacking group, identified as Salt Typhoon, which has targeted multiple US telecommunications companies. This has raised concerns among officials about inadequate cybersecurity measures in place for critical infrastructure managed by private companies.
As investigations continue, experts like Jake Williams from Hunter Strategy have voiced concerns that the true impact of the breach may extend beyond a few unclassified documents, suggesting that the full scope of this vulnerability could be much more significant. The Treasury Department is expected to provide more insights in a mandated 30-day report following the incident.
