* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)* [Application Security](/application-security)* [Threat Intelligence](/threat-intelligence)Chinese State Hackers Breach US Treasury Department Chinese State Hackers Breach US Treasury Department=======================================================================================================In what’s being called a ‘major cybersecurity incident,’ Beijing-backed adversaries broke into cyber vendor BeyondTrust to access US Department of Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.  [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken)December 30, 2024 3 Min Read  Source: trekandshoot via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department&title=Chinese%20State%20Hackers%20Breach%20US%20Treasury%20Department)[](/cdn-cgi/l/email-protection#3c034f495e56595f48017f545552594f591c6f485d48591c745d5f57594e4f1c7e4e595d5f541c696f1c684e595d4f494e451c78594c5d4e48515952481a5d514c075e5358450175190e0c485453495b5448190e0c485459190e0c5a535050534b55525b190e0c5a4e5351190e0c785d4e57190e0c6e595d5855525b190e0c51555b5448190e0c555248594e594f48190e0c45534912190c78190c7d190c78190c7d190e0c7f545552594f59190e0c6f485d4859190e0c745d5f57594e4f190e0c7e4e595d5f54190e0c696f190e0c684e595d4f494e45190e0c78594c5d4e4851595248190c78190c7d5448484c4f190f7d190e7a190e7a4b4b4b12585d4e574e595d5855525b125f5351190e7a5f455e594e5d48485d5f574f11585d485d115e4e595d5f54594f190e7a5f545552594f59114f485d485911545d5f57594e4f115e4e595d5f5411494f11484e595d4f494e451158594c5d4e4851595248) UPDATE: This story was updated on Dec. 30 to include a statement from a BeyondTrust spokesperson.The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able compromise its systems and steal data from workstations earlier this month.Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a ‘major cybersecurity incident,’ the disclosure letter from the US Department of Treasury said, which was sent to the chairman and ranking member of the Senate committee which oversees the agency.It explained the adversaries broke into Treasury through a third-party cybersecurity vendor, BeyondTrust, and ‘…gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,’ the [letter](https://legacy.www.documentcloud.org/documents/25472740-letter-to-chairman-brown-and-ranking-member-scott/)said. ‘With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.’The BeyondTrust website said the company has more than 20,000 customers across more than 100 countries who use its privileged remote access tools. The site adds BeyondTrust is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading’s request for comment.Treasury added it was told by BeyondTrust about the issue on Dec. 8 and, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the compromise, according to the letter.A [BeyondTrust advisory](https://www.beyondtrust.com/remote-support-saas-service-security-investigation) said the company was alerted on Dec. 5 to a compromised API key, which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation, according to a statement from a BeyondTrust spokesperson.’BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product,’ the statement said. ‘No other BeyondTrust products were involved.’
‘Epic’ Chinese Hack of US Treasury———————————-The revelation that Beijing was able to strike right at the heart of America’s federal capitalist system itself comes as the federal government is still grappling with the sprawling and coordinated Chinese-backed [cyberattacks against telecommunications companies](https://www.darkreading.com/cloud-security/salt-typhoon-tmobile-telecom-attack-spree) in the US. Once inside, hackers from groups including [Salt Typhoon](https://www.darkreading.com/cyberattacks-data-breaches/governments-telcos-chinas-hacking-typhoons) accessed call data and text messages of an unknown number of Americans. So far, Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming [Trump administration](https://www.darkreading.com/cybersecurity-operations/trump-20-portends-shift-cybersecurity-policies).’Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination,’ Lawrence Pingree, vice president of Dispersive said in a statement provided to Dark Reading.He added that it’s still unclear whether the Chinese hackers were able to crack the application’s secrets, or a cryptographic key.’Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches,’ he added.The breach also shows that cybersecurity vendors remain a favorite targets of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.’The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust,’ Dornbush said. ‘This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.’
[](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/chinese-state-hackers-breach-us-treasury-department&title=Chinese%20State%20Hackers%20Breach%20US%20Treasury%20Department)[](/cdn-cgi/l/email-protection#d6e9a5a3b4bcb3b5a2eb95bebfb8b3a5b3f685a2b7a2b3f69eb7b5bdb3a4a5f694a4b3b7b5bef68385f682a4b3b7a5a3a4aff692b3a6b7a4a2bbb3b8a2f0b7bba6edb4b9b2afeb9ff3e4e6a2beb9a3b1bea2f3e4e6a2beb3f3e4e6b0b9babab9a1bfb8b1f3e4e6b0a4b9bbf3e4e692b7a4bdf3e4e684b3b7b2bfb8b1f3e4e6bbbfb1bea2f3e4e6bfb8a2b3a4b3a5a2f3e4e6afb9a3f8f3e692f3e697f3e692f3e697f3e4e695bebfb8b3a5b3f3e4e685a2b7a2b3f3e4e69eb7b5bdb3a4a5f3e4e694a4b3b7b5bef3e4e68385f3e4e682a4b3b7a5a3a4aff3e4e692b3a6b7a4a2bbb3b8a2f3e692f3e697bea2a2a6a5f3e597f3e490f3e490a1a1a1f8b2b7a4bda4b3b7b2bfb8b1f8b5b9bbf3e490b5afb4b3a4b7a2a2b7b5bda5fbb2b7a2b7fbb4a4b3b7b5beb3a5f3e490b5bebfb8b3a5b3fba5a2b7a2b3fbbeb7b5bdb3a4a5fbb4a4b3b7b5befba3a5fba2a4b3b7a5a3a4affbb2b3a6b7a4a2bbb3b8a2) About the Author—————- [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Dark Reading Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading. [See more from Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Securing Your Cloud Data Across the Attack Timeline](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr131&ch=SBX&cid=_upcoming_webinars_8.500001513&_mc=_upcoming_webinars_8.500001513)Jan 15, 2025* [The Artificial Future Trend Micro Security Predictions for 2025](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tren86&ch=SBX&cid=_upcoming_webinars_8.500001514&_mc=_upcoming_webinars_8.500001514)Jan 16, 2025[More Webinars](/resources?types=Webinar) ### Editor’s Choice[Binary code in blue and orange colors ](/vulnerabilities-threats/emerging-threats-vulnerabilities-prepare-2025)[Vulnerabilities -& Threats](/vulnerabilities-threats) [Emerging Threats -& Vulnerabilities to Prepare for in 2025](/vulnerabilities-threats/emerging-threats-vulnerabilities-prepare-2025)[Emerging Threats -& Vulnerabilities to Prepare for in 2025](/vulnerabilities-threats/emerging-threats-vulnerabilities-prepare-2025) by[Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Dec 26, 2024 11 Min Read [Trump signing cybersecurity order creating CISA in 2018 ](/cybersecurity-operations/trump-20-portends-shift-cybersecurity-policies)[Cybersecurity Operations](/cybersecurity-operations) [Trump 2.0 Portends Big Shift in Cybersecurity Policies](/cybersecurity-operations/trump-20-portends-shift-cybersecurity-policies)[Trump 2.0 Portends Big Shift in Cybersecurity Policies](/cybersecurity-operations/trump-20-portends-shift-cybersecurity-policies) by[Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Dec 24, 2024 7 Min Read [People shaking hands imposed over a photo of China and a globe ](/endpoint-security/us-ban-tp-link-routers-politics-exploitation-risk)[Endpoint Security](/endpoint-security) [US Ban on TP-Link Routers More About Politics Than Exploitation Risk](/endpoint-security/us-ban-tp-link-routers-politics-exploitation-risk)[TP-Link Router Ban Is Mostly About Politics](/endpoint-security/us-ban-tp-link-routers-politics-exploitation-risk) by[Robert Lemos, Contributing Writer](/author/robert-lemos) Dec 20, 2024 6 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) Webinars* [Securing Your Cloud Data Across the Attack Timeline](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr131&ch=SBX&cid=_upcoming_webinars_8.500001513&_mc=_upcoming_webinars_8.500001513)Jan 15, 2025* [The Artificial Future Trend Micro Security Predictions for 2025](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tren86&ch=SBX&cid=_upcoming_webinars_8.500001514&_mc=_upcoming_webinars_8.500001514)Jan 16, 2025[More Webinars](/resources?types=Webinar) White Papers* [Delivering Incident Response Excellence: How Wipro enhances customer services with automated investigation and response](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7504&ch=SBX&cid=_whitepaper_14.500005853&_mc=_whitepaper_14.500005853)* [The State of Asset Security: Uncovering Alarming Gaps -& Unexpected Exposures](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_runz05&ch=SBX&cid=_whitepaper_14.500005848&_mc=_whitepaper_14.500005848)* [The State of Cloud Native Security Report 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo245&ch=SBX&cid=_whitepaper_14.500005832&_mc=_whitepaper_14.500005832)* [Purple AI Datasheet](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu27&ch=SBX&cid=_whitepaper_14.500005774&_mc=_whitepaper_14.500005774)* [SecOps Checklist](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu25&ch=SBX&cid=_whitepaper_14.500005771&_mc=_whitepaper_14.500005771)[More Whitepapers](/resources?types=Whitepaper)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
NAICS: 928 – National Security And International Affairs
Blog: Dark Reading
Software Discovery: Security Software Discovery
Associated Indicators: