The US Treasury Department notified lawmakers on Monday that a China state-sponsored actor infiltrated Treasury workstations in what officials are describing as a “major incident.”
In a letter reviewed by CNN, a Treasury official said it was informed by a third-party software service provider on December 8 that a threat actor used a stolen key to remotely access certain Treasury workstations and unclassified documents.
“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the US Treasury, wrote in the letter.
A Treasury spokesperson said in a statement to CNN that the compromised service has been taken offline and officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).
“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the Treasury spokesperson said.
According to the letter to Senate Banking Committee leadership, the third-party software service provider, BeyondTrust, said hackers gained access to a key used by the vendor to secure a cloud-based service that Treasury uses for technical support.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” the Treasury letter said.
BeyondTrust did not immediately respond to a request for comment.
It’s not clear exactly how many workstations were infiltrated. However, the Treasury spokesperson said in the statement that “several” Treasury user workstations were accessed.
Hardikar said in the letter that based on Treasury policy, intrusions attributed to advanced persistent threat actors are considered a “major cybersecurity incident.” Treasury officials are required to provide an update in a 30-day supplemental report.
It’s not clear if Treasury has fully determined the extent of the damage caused by the breach.
Hardikar wrote in the letter that, in an effort to “fully characterize the incident and determine its overall impact,” Treasury has been working with CISA, the FBI, US intelligence agencies and third-party forensic investigators.
“CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident,” the letter said.
This is a developing story and will be updated.