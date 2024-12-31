In a 'major incident' of a cyberattack, a Chinese state-sponsored actor allegedly gained access to US Treasury workstations and unclassified documents.

The US Treasury Department said on Monday that a China state-sponsored hackers breached the US Treasury Department's computer security guardrails this month and stole documents, according to a letter to lawmakers that Treasury officials provided to Reuters. Treasury called it a "major incident."

What happened? The incident happened earlier this month, when the hackers compromised a third-party cybersecurity service provider ‘BeyondTrust’ and was able to remotely access the Treasury workstations and some unclassified documents, a Treasury spokesperson was quoted by AFP as saying.

Treasury contacted the Cybersecurity and Infrastructure Security Agency after it was alerted of the situation by its provider BeyondTrust on December 8. It informed that it was working with the US Cybersecurity and Infrastructure Security Agency and the FBI to assess the hack's impact.

According to the letter, hackers “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."

Treasury officials didn't immediately respond to an email seeking further details about the hack. The FBI did not immediately respond to Reuters' requests for comment, while CISA referred questions back to the Treasury Department.

In its letter to the leadership of the Senate Banking Committee, the Treasury said: "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

China reacts A spokesperson for the Chinese Embassy in Washington rejected any responsibility for the hack, saying that Beijing "firmly opposes the US's smear attacks against China without any factual basis."

Action taken A spokesperson for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company "previously identified and took measures to address a security incident in early December 2024" involving its remote support product.

BeyondTrust "notified the limited number of customers who were involved," and law enforcement was notified, the spokesperson said. "BeyondTrust has been supporting the investigative efforts."

"The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information," the department's spokesperson was quoted by AFP as saying.

Tom Hegel, a threat researcher at cybersecurity company SentinelOne, said the reported security incident "fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services - a method that has become increasingly prominent in recent years," he said, using an acronym for the People's Republic of China."