The United States Treasury Department has disclosed a significant cybersecurity breach involving a China-backed hacking group, marking what officials have termed a “major incident.”
The breach was revealed in a letter to lawmakers reviewed by CNN, detailing how the attackers gained access to certain Treasury workstations and unclassified documents.
The intrusion came to light on December 8, when a third-party software provider notified the Treasury of a stolen key being used to remotely access the department’s systems.
“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” wrote Aditi Hardikar, assistant secretary for management at the Treasury, in the letter.
In response, the compromised software service was taken offline, according to a Treasury spokesperson. The department has since been collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and law enforcement to address the breach.
“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the spokesperson confirmed.
The attack exploited a vulnerability in a cloud-based service provided by BeyondTrust, a software vendor that supports the Treasury’s technical operations. Hackers allegedly used the stolen key to bypass security measures and access the workstations.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” the letter noted.
While it remains unclear how many workstations were affected, the Treasury acknowledged that “several” were compromised. Officials have classified the incident as a major cybersecurity breach, requiring updates under Treasury policy, including a supplemental report within 30 days.
Efforts to fully understand the breach’s impact are ongoing. “CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident,” the letter stated. Investigations involve CISA, the FBI, US intelligence agencies, and independent forensic experts.
Lawmakers have been briefed on the situation, with a classified session for the House Financial Services Committee expected next week.
However, the exact timing of the briefing remains uncertain. BeyondTrust, the software vendor implicated in the breach, has yet to respond to requests for comment.
ALSO READ TOP STORIES FROM NIGERIAN TRIBUNE
