Chinese Hackers Breach US Government and Steal Documents in ‘Major Incident’

This probably isn’t the way that the United States government wanted to spend the waning holidays.

According to an ominous Reuters report, “Chinese state-sponsored hackers breached the U.S. Treasury Department’s computer security guardrails this month and stole documents in what Treasury called a ‘major incident.’”

Reuters obtained a letter sent by the Treasury Department detailing just how this harrowing incident unfolded.

In a letter to Sens. Sherrod Brown of Ohio and Tim Scott of South Carolina, the Treasury Department admitted that a “third-party” contractor basically left the backdoor ajar.

“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter read. “With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”

The letter continued, explaining the measures that the Treasury Department was utilizing to combat this “major” issue.

“Treasury has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence Community, and third-party forensic investigators to fully characterize the incident and determine its overall impact,” the letter continued. “CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident.”

The letter also cast no aspersion as to whom they think is the responsible party.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” it read.

Perhaps most disconcertingly, the letter cannot confirm that the threat actor no longer had access via BeyondTrust, instead saying there was “no evidence” of lingering maliciousness.

“The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information,” the letter said. “The investments we have made using discretionary appropriations provided under the Cybersecurity Enhancement Account (CEA) have helped ensure we have strong incident processes and access to detailed logs to support our incident response efforts.”

The letter, signed by Assistant Secretary for Management at the U.S. Department of the Treasury Aditi Hardikar, also noted that additional “details will be made available in our 30-day supplemental report to this notification.”

Per Reuters, China has issued a blanket denial that it had anything to do with this hack.

“We have repeatedly stated our position on such groundless accusations lacking evidence,” one Chinese official told reporters Tuesday, per CNN. “China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes.”

One Chinese representative from its embassy in Washington took an equally defensive posture when broaching the subject.

That representative took issue with the allegation and “firmly opposes the U.S.’s smear attacks against China without any factual basis,” Reuters reported.

BeyondTrust has proffered its own timeline of events, which can be found here.

Advertise with The Western Journal and reach millions of highly engaged readers, while supporting our work. Advertise Today.