US Treasury documents stolen by Chinese Hackers in Major Incident

According to the US Treasury, documents were stolen by Chinese state-sponsored hackers. China maintains its longstanding opposition to all types of hacker attacks. Analysts note that this attack is consistent with previous operations carried out by China-linked groups.

The cybercriminals successfully infiltrated the third-party cybersecurity service provider BeyondTrust, gaining unauthorized access to unclassified documents, as detailed in the letter.

As per the letter, hackers managed to obtain a crucial key used by the vendor to secure a cloud-based service for providing remote technical support to end users in Treasury Departmental Offices (DO). With this stolen key, the threat actor was able to bypass the service's security measures, remotely access specific workstations used by Treasury DO users, and view certain unclassified documents stored by those users.

"The letter stated that the incident is believed to have been caused by a China state-sponsored Advanced Persistent Threat (APT) actor, according to the available indicators."

During a routine news conference on Tuesday, Mao Ning, a spokesperson for China's foreign ministry, reiterated China's longstanding stance against all types of hacker attacks.

A representative from the Chinese Embassy in Washington has denied any accountability for the hack, emphasizing that Beijing strongly disapproves of the U.S.'s unfounded accusations against China.

A spokesperson for BeyondTrust, located in Johns Creek, Georgia, stated that the company had detected and responded to a security incident relating to its remote support product in early December 2024. The spokesperson stated that BeyondTrust had reached out to the affected customers, and law enforcement had been informed. The company is actively assisting in the investigation process.

On December 8, certain information was disclosed from the investigation, revealing that a digital key was compromised during the incident and an ongoing investigation was reported. The latest update on this statement was made on December 18.

The reported security incident, according to the source, aligns with a consistent modus operandi observed in activities carried out by groups connected to the People's Republic of China. These groups seem to emphasize exploiting trusted third-party services, a tactic that has gained significant prominence in recent times.