Chinese Hackers Accused of Stealing ‘Unclassified Documents’ from US Treasury

Chinese hackers breached the US Treasury Department earlier this month, making off with “unclassified documents,” according to the agency.

In a letter to lawmakers, the Treasury reveals hackers attacked one of its service providers, identified as BeyondTrust.

The company's products include Software as a Service (SaaS), cloud services, and PAM (Privileged Access Management).

‘A stolen key’

The supplier notified the Treasury on Dec. 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” according to the letter (as originally reported by Reuters).

After discovering the breach, the Treasury enlisted the help of federal agencies and forensic investigators to better understand the hackers’ intent and assess the overall impact.

“CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident,” the letter continues. “Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.”

Hackers’ access severed

The Treasury has taken the compromised systems offline to ensure the hackers no longer have access.

“At this time there is no evidence indicating the threat actor has continued access to Treasury information,” the department says, adding that its ongoing investments in incident response protocols have proved worthwhile.

“The investments we have made using discretionary appropriations provided under the Cybersecurity Enhancement Account (CEA) have helped ensure we have strong incident processes and access to detailed logs to support our incident response efforts,” reads a more-reassuring statement as the letter draws to a close.

The Treasury Department stresses that any attack by state-sponsored hackers (APTs) constitutes “a major cybersecurity incident.” The agency will provide more details in an upcoming supplemental report.

America plagued by Chinese intrusions in recent years

The US government this year has disclosed multiple intrusions by alleged Chinese hackers, including a widespread attack on US telecom operators by an APT group identified as “Salt Typhoon.”

In related news, the US Department of State’s Rewards for Justice (RFJ) program is offering up to $10 million for information pinpointing a Chinese national for his role in the April 2020 compromise of tens of thousands of firewalls worldwide.

And in November, the US imprisoned a Floridian convicted of selling national secrets to China’s intelligence services.