Chinese state-sponsored hackers breached the US Treasury Department’s computer security guardrails this month and stole documents in what the Treasury called a “major incident”, according to a letter to lawmakers that Treasury officials provided to Reuters on Monday (Dec 30).
The hackers compromised third-party cybersecurity service provider BeyondTrust and were able to access unclassified documents, the letter said.
According to the letter, hackers “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users”.
The Treasury Department said it was alerted to the breach by BeyondTrust on Dec 8 and that it was working with the US Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) to assess the hack’s impact.
Treasury officials did not immediately respond to an email seeking further details about the hack. The FBI did not immediately respond to Reuters’ requests for comment, while CISA referred questions back to the Treasury Department. A spokesperson for the Chinese Embassy in Washington rejected any responsibility for the hack, saying that Beijing “firmly opposes the US’s smear attacks against China without any factual basis”.
BeyondTrust, based in Johns Creek, Georgia, did not immediately respond to requests for comment, but on its website, the company said it had recently identified a security incident that involved a limited number of customers of its remote support software. The statement said a digital key had been compromised in the incident and that an investigation was under way.
Tom Hegel, a threat researcher at cybersecurity company SentinelOne, said it appeared the security incident described by BeyondTrust aligns closely with the reported hack at Treasury, though he cautioned that the company itself would need to confirm any connection.
“This incident fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services – a method that has become increasingly prominent in recent years,” he said, using an acronym for the People’s Republic of China.
Source: CNA
