Chinese hackers breach US Treasury in ‘major’ cyber attack

The US Treasury has been hacked by suspected Chinese actors that accessed government workstations and unclassified documents, officials said.

The department made the revelation on Monday after being notified on 8 December by third-party software provider BeyondTrust that the hackers had accessed a security key to get past safety measures, The Washington Post reported.

The Treasury notified the Senate Banking Committee of the breach in a letter viewed by several media outlets. It called the breach a “major incident”. Department policy categorises nation state hacking incidents as “major”, according to the letter.

When the Treasury was notified of the incident, it reached out to the Cybersecurity and Infrastructure Security Agency, or CISA, and took the BeyondTrust service offline, a department spokesperson said, according to The Post.

The department didn’t say how many workstations had been accessed or what kind of documents the hackers could have obtained. But in its letter to lawmakers, the department said “at this time there is no evidence indicating the threat actor has continued access to Treasury information”.

“Treasury takes very seriously all threats against our systems, and the data it holds,” the department said. “Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors.”

Assistant treasury secretary Aditi Hardikar noted in Monday’s letter that it was working with CISA as well as the FBI but didn’t say anything further other than the hack had been attributed to Chinese actors.

“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat actor,” Hardikar said in the letter, according to CNN.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury user workstations, and access certain unclassified documents maintained by those users,” Hardikar added.

“CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident.”

The Chinese embassy denied the allegations, calling them baseless and part of a smear campaign. A spokesperson for the Chinese embassy in Washington said Beijing “firmly opposes the US’s smear attacks against China without any factual basis”.

The Treasury plans to provide further details to lawmakers in 30 days.

A spokesperson for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company “previously identified and took measures to address a security incident in early December 2024” involving its remote support product.

BeyondTrust “notified the limited number of customers who were involved” as well as law enforcement, the spokesperson said. “BeyondTrust has been supporting the investigative efforts.”

Tom Hegel, a threat researcher at cybersecurity company SentinelOne, said the reported security incident “fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services — a method that has become increasingly prominent in recent years”.

Additional reporting by agencies.