Chinese cyberattack on US Treasury: Workstations breached, key documents exposed
A Chinese state-sponsored cyberattack breached the US Treasury, exploiting vulnerabilities in third-party software. Workstations and unclassified documents were accessed, sparking federal action and raising concerns about cybersecurity in government agencies.
In a major cybersecurity breach, a state-sponsored Chinese actor reportedly gained access to US offices and unclassified documents. The Internal Treasury Department statement revealed by Treasury officials on Monday highlighting weaknesses in the software systems used by government agencies.
Details of cyberattack
A document reviewed by CNN found that the breach came after a threat actor used stolen keys to gain remote access to bank offices and unencrypted documents. The compromise was discovered on December 8 through a notification by a third-party software service provider, BeyondTrust.
According to Aditi Hardikar, Assistant Secretary for Management at the US Treasury, “The incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor.”
Steps taken to prevent violations
The disrupted service has been taken offline to mitigate further risks. The Treasury Department is working closely with the Cybersecurity and Infrastructure Security Agency (CISA), law enforcement, and forensic investigators to assess the damage and prevent future incidents.
- A Treasury spokesperson assured that there is no evidence of ongoing access by the threat actor.
- Treasury officials are expected to provide a classified briefing to the House Financial Services Committee next week to discuss the breach in detail.
How did the breach occur?
BeyondTrust, the third-party vendor involved, said hackers obtained a key used to protect a cloud-based technical support service used by the bank In this key theft, hackers bypassed security systems around, remotely accessed user workstations, and retrieved certain unclassified documents.
Hardikar’s letter emphasised that such intrusions are classified as "major cybersecurity incidents" under federal guidelines. The full impact of the breach is still under investigation.
"With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users," the Treasury letter said.
Concerted efforts to minimise impact
The Treasury Department is cooperating with CISA, the FBI, US intelligence agencies, and third-party investigators to determine the full extent of the breach.
- Upon detection of an attack, an immediate response was made, and all relevant agencies were notified immediately.
- Hardicker emphasised ongoing efforts to "fully characterise the incident and determine its overall impact."
What the breach means?
This attack highlighted the growth of state-sponsored cyber threats and the need for stronger cybersecurity measures. The breach is a reminder of the critical importance of securing third-party systems embedded in government operations.
Also read | Biden pledges USD 2.5 billion military aid for Ukraine as Trump set to take office | Kyiv's response