The US Treasury Department informed lawmakers on Monday that a Chinese state-sponsored actor infiltrated Treasury workstations in what officials are calling a “major incident.”
In a letter reviewed by CNN, a Treasury official stated that on December 8, a third-party software service provider informed them that a threat actor had used a stolen key to remotely access certain Treasury workstations and unclassified documents.
“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the US Treasury, stated in the letter.
A Treasury spokesperson told CNN that the compromised service has been taken offline, and officials are collaborating with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).
“There is no evidence that the threat actor has continued access to Treasury systems or information,” a Treasury spokesperson stated.
A senior committee staffer told CNN that Treasury officials intend to hold a classified briefing on the breach next week for House Financial Services Committee staffers. The exact timing of the briefing has not yet been determined.
According to the letter to Senate Banking Committee leadership, BeyondTrust, a third-party software service provider, reported that hackers gained access to a key used by the vendor to secure a cloud-based service that Treasury uses for technical support.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” according to the Treasury letter.
BeyondTrust said it discovered a security incident involving its Remote Support product on December 2 and notified the “limited number” of customers affected after the company confirmed on December 5 that it had discovered “anomalous behavior” in the product.
It announced the incident on its website on December 8, and it has been updating its progress in investigating the cause and mitigating future threats. The company stated that it had suspended and quarantined the affected product instances, as well as hired an outside cybersecurity team to conduct an investigation.
“No other BeyondTrust products were involved,” a spokesperson stated. “Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”
It is unclear how many workstations were infiltrated. However, the Treasury spokesperson stated that “several” Treasury user workstations were accessed.
According to Hardikar’s letter, intrusions attributed to advanced persistent threat actors are considered a “major cybersecurity incident.” Treasury officials must provide an update in a 30-day supplemental report.
It’s unclear whether Treasury has fully assessed the damage caused by the breach.
Treasury has been working with CISA, the FBI, US intelligence agencies, and third-party forensic investigators to “fully characterize the incident and determine its overall impact,” according to Hardikar’s letter.
“CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident,” the notification stated.
