In what officials are calling a “major incident,” the US Treasury Department informed legislators Monday that a state-sponsored actor from China had compromised Treasury workstations.
A Treasury official told CNN in a letter that it received notification on December 8 from a third-party software service provider that a threat actor had gained remote access to some Treasury workstations and unclassified documents using a stolen key.
Aditi Hardikar, assistant secretary for management at the US Treasury, wrote in the letter, “The incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor based on available indicators.”
The compromised service has been taken offline, and officials are collaborating with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA), a Treasury representative told CNN.
The Treasury spokeswoman stated, “There is no indication that the threat actor has continued access to Treasury systems or information.”
A senior committee source told CNN that Treasury officials will meet with House Financial Services Committee staffers next week to discuss the breach in a secret briefing. The briefing’s precise time has not yet been set.
During a routine news briefing on Tuesday, a representative for China’s Foreign Ministry refuted the charge.
“We have defended our stance on such baseless charges without supporting documentation on numerous occasions. Mao Ning, a foreign ministry official, stated, “China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes.”
The third-party software service provider, BeyondTrust, said in the letter to the Senate Banking Committee leadership that hackers had obtained a key that the vendor used to secure a cloud-based service that Treasury employs for technical support.
According to the Treasury letter, “the threat actor was able to remotely access certain Treasury [Departmental Office] user workstations, override the service’s security, and access certain unclassified documents maintained by those users with access to the stolen key.”
After confirming on December 5 that it had verified “anomalous behavior” in its Remote Support product, BeyondTrust stated it had discovered a security problem that occurred on December 2 and alerted the “limited number” of clients concerned.
Since December 8, it has been updating its website with information about the incident, including its work in determining the cause and preventing similar incidents in the future. According to the corporation, it recruited a third-party cybersecurity team to look into the issue and suspended and quarantined the affected product instances.
According to a Beyond Trust representative, “no other BeyondTrust products were involved.” “BeyondTrust has been assisting with the investigation since law enforcement was informed.”
The precise number of compromised workstations is unknown. But according to the Treasury spokesperson’s statement, “several” workstations belonging to Treasury users were accessed.
According to Treasury policy, breaches attributable to advanced persistent threat actors are regarded as “major cybersecurity incidents,” according to Hardikar’s letter. Treasury officials must provide a 30-day supplemental report with an update.
It’s unclear if Treasury has assessed the entire scope of the breach’s impact.
In the letter, Hardikar stated that Treasury has been collaborating with CISA, the FBI, US intelligence agencies, and outside forensic investigators to “fully define the incident and establish its overall impact.”
The letter stated that as soon as Treasury learned of the attack, CISA was activated, and as soon as the attack’s extent became clear, the other governing organizations were notified.