The United States Treasury Department notified lawmakers on Monday that a China state-sponsored actor infiltrated Treasury workstations in what officials are describing as a major incident.
In a letter reviewed by CNN to the Senate Banking Committee leadership, a Treasury official said it was informed by a third-party software provider on 8 December that a threat actor used a stolen key to remote access certain Treasury workstations and unclassified documents.
“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the U.S. Treasury, wrote in the letter.
In a statement to CNN a Treasury spokesperson said there was no evidence indicating the threat actor has continued access to Treasury systems or information and that the compromised service has been taken offline. Officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).
“Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” a spokesperson for the department said in a separate statement.
The compromised BeyondTrust has also been taken offline.
BeyondTrust said it identified the security incident taking place on 2 December involving its remote support product and notified the “limited number” of customers involved after the company confirmed on 5 December that it had “anomalous behaviour” in the product.
There have been updates on the incident posted on BeyondTrust’s website since 8 December. The company said it suspended and quarantined the impact instances of the product and hired an external cybersecurity team to investigate.
“No other BeyondTrust products were involved,” a Beyond Trust spokesperson said. “Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”
A spokesperson for China’s Foreign Ministry denied the hacking accusations when asked about it at a regular news briefing on Tuesday.
“We have repeatedly stated our position on such groundless accusations lacking evidence. China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes,” said Mao Ning, a spokesperson for the foreign ministry.
It is unclear how many workstations were infiltrated however, the Treasury spokesperson said in the statement that several Treasure user workstations were accessed.
A senior staffer told CNN that Treasury plans to hold a briefing about the breach next week with House Financial Services Committee staffers. Treasury officials will be required to provide an update in a 30-day supplemental report.