The US Treasury Department has disclosed a significant cybersecurity breach attributed to a China state-sponsored Advanced Persistent Threat (APT) actor. Hackers infiltrated several Treasury workstations using a stolen key, prompting officials to label the incident as a "major cybersecurity incident."

Aditi Hardikar, Assistant Secretary for Management at the Treasury, detailed the breach. The department was alerted by a third-party software provider, BeyondTrust, on December 8, about unauthorized access to certain Treasury workstations and unclassified documents. The breach reportedly occurred on December 2.‍

Details of the Breach

According to the letter reviewed by CNN, the attackers exploited a stolen key used by BeyondTrust, which provides cloud-based technical support services for the Treasury. Using this key, the hackers bypassed the service's security measures, gaining remote access to several departmental workstations and sensitive but unclassified documents.

The Treasury stated that the compromised service has since been taken offline, and law enforcement agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), have been engaged in the investigation. A Treasury spokesperson assured, “There is no evidence indicating the threat actor has continued access to Treasury systems or information.”

BeyondTrust confirmed the incident on its website and noted that it had quarantined the impacted instances of its Remote Support product. An external cybersecurity team has been hired to investigate the root cause and prevent future breaches.‍

Legislative Briefing and Investigation

The Treasury has notified lawmakers of the incident and plans to hold a classified briefing with staffers from the House Financial Services Committee next week, though the exact timing is yet to be determined. Officials have also engaged intelligence agencies and forensic investigators to determine the full scope of the breach.

In accordance with federal guidelines, the Treasury is required to submit a supplemental report within 30 days to update on the incident's scope and impact. Hardikar’s letter indicated that investigations are ongoing, and officials are working with agencies including the FBI, CISA, and US intelligence to assess the damage fully.