'Major incident': China-backed hackers accused of breaking into US Treasury

The U.S. Treasury Department has notified members of Congress that an actor, believed to be backed by the Chinese government, infiltrated Treasury workstations, an incident officials are calling "significant." According to a letter reviewed by CNN, a Treasury official stated that on December 8th, a third-party software service provider informed them that a threat actor had used stolen keys to remotely access certain Treasury workstations and unclassified files.

Aditi Hardikar, the Assistant Secretary for Management at the U.S. Treasury Department, wrote in the letter, "Based on available indications, this incident is attributed to a Chinese government-backed advanced persistent threat (APT) actor." A Treasury spokesperson stated to CNN that the affected service has been taken offline and that officials are cooperating with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA). The spokesperson also stated, "There is no evidence that the threat actor is still able to access Treasury systems or information."

A senior committee staffer told CNN that Treasury officials plan to hold a classified briefing with staff from the House Financial Services Committee next week regarding the breach, though the specific timing has not been determined. According to letters sent to the leaders of the Senate Banking Committee, the third-party software service provider, BeyondTrust, stated that hackers obtained keys used by the vendor to secure a cloud-based service that the Treasury uses for technical support.

The Treasury letter noted, "By gaining access to the stolen keys, the threat actor was able to bypass the service’s security, remotely access certain Treasury [department office] user workstations, and access some unclassified files maintained by those users." BeyondTrust stated that it detected a security incident involving its remote support product on December 2nd and, after confirming "anomalous behavior" on December 5th, notified a "limited number" of affected customers.

The company posted information about the incident on its website on December 8th and has been updating its progress in investigating the cause and mitigating future threats. The company stated that it has suspended and isolated the affected product instance and has engaged an external cybersecurity team to conduct an investigation. A BeyondTrust spokesperson stated, "No other BeyondTrust products are involved." "Law enforcement has been notified and BeyondTrust has been supporting the investigation."

It is unclear exactly how many workstations were infiltrated. However, a Treasury spokesperson stated in a statement that "multiple" Treasury user workstations were accessed. Hardikar stated in the letter that, according to Treasury policy, intrusions attributed to advanced persistent threat actors are considered "significant cybersecurity incidents." Treasury officials must provide updates in a 30-day supplemental report.

It is not yet clear if the Treasury has fully determined the extent of the damage caused by the breach. Hardikar wrote in the letter that the Treasury has been working with CISA, the FBI, U.S. intelligence agencies, and third-party forensic investigators in order to "fully characterize the incident and determine its overall impact." "CISA immediately engaged after Treasury learned of the attack, and immediately contacted the rest of the administering agencies after the scope of the attack became apparent," the letter stated.