WASHINGTON: Chinese state-sponsored hackers breached the US Treasury Department’s computer security guardrails this month and stole documents in what Treasury called a “major incident,” according to a letter to lawmakers that Treasury officials provided to Reuters on Monday.

The hackers compromised third-party cybersecurity service provider BeyondTrust and were able to access unclassified documents, the letter said.

According to the letter, hackers “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the services security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter said.

However, Beijing on Tuesday hit back at accusations that a China state-sponsored actor was behind a cyber breach at the US Treasury Department, calling the claims “groundless”.

Beijing slams ‘groundless’ claims of cyberattack

China’s foreign ministry spokeswoman Mao Ning said Beijing “has always opposed all forms of hacker attacks, and we are even more opposed to the spread of false information against China for political purposes”.

“We have stated our position many times regarding such groundless accusations that lack evidence,” she added.

The Treasury Department said it was alerted to the breach by BeyondTrust on Dec 8 and that it was working with the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack’s impact.

Treasury officials didn’t immediately respond to an email seeking further details about the hack.

A spokesperson for the Chinese Embassy in Washington also rejected any responsibility for the hack, saying that Beijing “firmly opposes the US’s smear attacks against China without any factual basis.”

A spokesperson for BeyondTrust, based in Johns Creek, Georgia, said in an email that the company “previously identified and took measures to address a security incident in early Dec 2024” involving its remote support product.

BeyondTrust “notified the limited number of customers who were involved,” and law enforcement was notified, the spokesperson said. “BeyondTrust has been supporting the investigative efforts.”

The spokesperson referred to a statement posted on the company’s website on Dec 8 sharing some details from the investigation, including that a digital key had been compromised in the incident and that an investigation was under way. That statement was last updated on Dec 18.

Tom Hegel, a threat researcher at cybersecurity company SentinelOne, said the reported security incident “fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services — a method that has become increasingly prominent in recent years,” he said, using an acronym for the People’s Republic of China.

Published in Dawn, January 1st, 2025