The U.S. Treasury Department has confirmed a “major cybersecurity incident” involving a breach by a Chinese state-sponsored hacker, officials said Monday. The breach allowed access to employee workstations and unclassified documents within the department.
The incident, which occurred in early December, was revealed in a letter sent by the Treasury Department to lawmakers. The agency disclosed that the hackers exploited a security key used by BeyondTrust, a third-party service provider offering remote technical support.
The compromised service has since been taken offline, and officials stated there is no evidence of continued access to Treasury information since the breach. The department has been working with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and third-party forensic investigators to assess the extent of the intrusion.
Details of the Breach
Officials identified the attacker as a “China-based Advanced Persistent Threat (APT) actor.” The hacker reportedly gained remote access to multiple user workstations and unclassified documents. The Treasury has not disclosed the nature or sensitivity of the compromised files or the level of confidentiality of the affected systems.
BeyondTrust, the third-party provider, first detected suspicious activity on December 2 but took three days to confirm the hack. The Treasury Department was informed on December 8. During this period, the hackers may have created accounts or altered passwords, though their primary objective appears to have been information gathering rather than financial theft.
Response and Investigations
Treasury officials stated that they are treating the incident with the highest level of urgency, working closely with federal agencies to secure systems and determine the full scope of the breach. A supplemental report will be provided to lawmakers within 30 days, the letter noted.
The Chinese embassy in Washington denied the allegations, calling them a “smear attack” without factual basis. Embassy spokesperson Liu Pengyu criticized the U.S. for making accusations without evidence and urged a professional and evidence-based approach to attributing cyber incidents.
Context and Implications
The breach is the latest in a series of high-profile cyberattacks attributed to Chinese state-sponsored actors, including a December attack on U.S. telecommunications companies that may have exposed phone records.
Cybersecurity experts warn that such incidents highlight vulnerabilities in third-party service providers, often targeted as entry points for attackers. The Treasury Department emphasized its commitment to safeguarding its systems and the sensitive data they contain.
