Treasury described the intrusion as a “major cybersecurity incident,” since it was attributed to a state-sponsored actor, according to the letter, which was reviewed by Bloomberg News.
Treasury was notified on December 8 by a third-party software provider, BeyondTrust Inc., that a hacker had gained access “to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” according to the letter.
The department is being assisted by the Cybersecurity and Infrastructure Security Agency, the FBI, the intelligence community and third-party forensic investigators.
Based on available information, advanced hackers tied to China were behind the incident, according to the letter.
The Chinese embassy in Washington opposes US “smear attacks against China without any factual basis,” it said in an emailed statement. “The US needs to stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threat,” it said.
BeyondTrust, which sells managed access software and other cybersecurity products, holds contracts with the federal government worth more than $4 million, according to government data compiled by Bloomberg. In addition to Treasury, the data shows, BeyondTrust does business with the Department of Defense, Department of Veterans Affairs and the Department of Justice, along with other agencies.
A representative for BeyondTrust didn’t respond to a request for comment. The Department of Defense, Department of Justice, and Department of Veterans Affairs didn’t immediately respond to separate requests for comment.
The hacker was able to remotely access certain Treasury workstations and “certain unclassified documents maintained by those users,” the department said in the letter to Senators Sherrod Brown and Tim Scott.
“The compromised BeyondTrust service has been taken offline, and there is no evidence indicating the threat actor has continued access to Treasury systems or information,” a Treasury spokesperson said.
Disclosure of the breach comes as the White House continues to investigate what it says is a vast cyber-espionage campaign against US telecommunications companies by Chinese state-sponsored hackers. On Friday, the White House said nine telecom firms had been impacted by the attacks, which have been attributed to a group Microsoft Corp. nicknamed Salt Typhoon.
The hackers allegedly spent months lurking inside American telecom networks and gathering information about an unknown number of Americans’ phone calls and text messages. Among the phones targeted were those of then presidential candidate Donald Trump and his running mate JD Vance, Trump family members and members of Vice President Kamala Harris’ campaign staff and others, the New York Times has reported.
The alleged Chinese espionage efforts at US telecoms and the Treasury Department come after a period of relative calm in relations between US and China in the final stretches of President Joe Biden’s term.
That included Biden and Chinese leader Xi Jinping meeting at the APEC summit in Peru last month, a rare prisoner swap in late November and renewed agreement earlier this month on science and technology cooperation.
The Salt Typhoon telecoms hack came up in the Peru meeting, where Biden “made very clear where the US stands on it,” National Security Adviser Jake Sullivan said at the time. Xi told Biden at the meeting “there is no evidence that supports the irrational claim of the so-called ‘cyberattacks from China,’” the Washington embassy said Monday.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, said last week that the administration has further actions planned to hold Beijing accountable after moving ahead with a ban of China Telecom in the US.
