This post is also available in:
עברית (Hebrew)
A recent cybersecurity breach has exposed vulnerabilities within the U.S. Treasury Department, with Chinese-linked hackers gaining unauthorized access to documents earlier this month. The intrusion, attributed to a state-sponsored Chinese Advanced Persistent Threat (APT), was discovered on December 8, when cybersecurity firm BeyondTrust alerted the Treasury to suspicious activity.
According to a letter from the U.S. Treasury Department to Senators Sherrod Brown and Tim Scott, the hackers exploited a third-party cybersecurity vendor’s remote support service to compromise the Treasury’s network. The vendor, BeyondTrust, had been providing cybersecurity services to the Treasury Department when the attackers managed to steal a key used to secure a cloud-based platform for remote tech support.
With the stolen key, the hackers bypassed security protocols, gaining remote access to employee workstations and unclassified documents. The Treasury described the breach as a “major incident” under its security guidelines, and the compromised BeyondTrust service was taken offline to prevent further unauthorized access. Despite the breach, the attack did not compromise classified information.
As reported on Cybernews, John Scott-Railton, a senior researcher at Citizen Lab, noted that the attackers used the platform as a “backdoor” to gain entry to Treasury systems. His comments raised concerns about potential threats to other BeyondTrust clients, given the company’s wide range of government and private sector customers.
In response to the breach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI launched a formal investigation, with support from third-party experts. BeyondTrust confirmed in a statement to Reuters that it had identified and addressed the security incident earlier in December, notified affected customers, and assisted with the ongoing investigation.
According to Cybernews, Tom Hegel, a threat researcher at SentinelOne, highlighted that this attack follows a pattern commonly used by Chinese-linked cyber groups, who often target trusted third-party services as a means of gaining unauthorized access to sensitive networks.
As of now, the Chinese government has denied any involvement, calling the accusations unfounded.
