Major Chinese State-Sponsored Breach of US Treasury Systems: What We Know
Major Security Incident: State-Sponsored Hack of US Treasury Revealed
Major Chinese State-Sponsored Breach of US Treasury Systems: What We Know
The U.S. Treasury Department disclosed on December 30, 2024, that it experienced what officials are categorizing as a “major incident” involving Chinese state-sponsored hackers who successfully breached departmental systems and accessed unclassified documents earlier this month.
The Breach Timeline and Initial Discovery
The security breach was first detected on December 2, 2024, by BeyondTrust, a third-party cybersecurity service provider used by the Treasury Department. After three days of investigation, BeyondTrust confirmed the suspicious activity as a cybe attack on December 5. The Treasury Department was officially notified of the breach on December 8:
- December 2: Initial suspicious activity detected
- December 5: Attack confirmation after investigation
- December 8: Treasury Department officially notified
- December 30: Public disclosure of the incident
How the Attack Was Executed
According to Treasury officials, the threat actors gained access through a sophisticated compromise of BeyondTrust’s remote support infrastructure:
- The attackers obtained a security key used by BeyondTrust to secure their cloud-based technical support service
- Using this stolen key, the hackers were able to override security measures
- This access allowed them to remotely connect to multiple Treasury Departmental Office (DO) user workstations
- The compromised systems gave the attackers access to certain unclassified documents
Immediate Response and Current Status
The Treasury Department has taken several immediate actions to address the security breach:
- The compromised BeyondTrust service has been taken offline
- Officials have engaged multiple agencies in the investigation, including:
- The FBI
- The Cybersecurity and Infrastructure Security Agency (CISA)
- Various intelligence community members
- Third-party forensic investigators
Treasury Assistant Secretary for Management Aditi Hardikar has confirmed that there is currently no evidence indicating continued unauthorized access to Treasury systems or information.
Attribution and Classification
The Treasury Department has attributed the attack to a China-based Advanced Persistent Threat (APT) actor, though China’s Foreign Ministry spokesperson has denied these allegations. Due to the involvement of a state-sponsored APT, the Treasury has classified this as a “major cybersecurity incident” under departmental policies.
Looking Forward with CinchOps
The Treasury Department has committed to providing a supplemental report to lawmakers within 30 days, detailing the full scope and impact of the breach. This incident serves as a crucial reminder of the importance of robust cybersecurity measures, particularly when dealing with third-party service providers.
CinchOps will continue to monitor this situation closely and provide updates as new information becomes available. Our team of security experts is available to help organizations assess their current security posture and implement protective measures against similar threats.
For the latest updates on this developing situation and expert cybersecurity guidance, follow CinchOps on our social media channels or request updates below.