New information reveals the PRC-backed hackers responsible for last month’s hack of the US Treasury Department were able to gain access to the laptops of some senior officials. This is as CISA now says other federal agencies were spared in the breach.
The Chinese state-sponsored threat actors were reported to have compromised “unclassified material stored locally on the senior officials’ computers,” according to a report by Bloomberg News on January 2nd.
Bloomberg, which spoke with a US official and another person familiar with the matter, said the sources did not identify the senior leaders whose computers were breached.
The US Treasury breach itself took place on December 8th through the third-party cybersecurity company BeyondTrust, a contracted vendor for the department, as well as other federal agencies.
"At this time, there is no indication that any other federal agencies have been impacted by this incident," the US Cybersecurity and Infrastructure Security Agency (CISA) announced on January 6th, although the agency said it was still monitoring the situation.
On New Year's Day, The Washington Post reported the attackers had targeted the Office of Foreign Assets Control, known as OFAC (the government office responsible for sanctions), the Office of the Treasury Secretary Janet Yellen, and the Treasury Department’s Office of Financial Research.
BeyondTrust told Reuters on January 6th it is "unable to confirm" if any other customers were affected by the hack, citing the sensitivity of the "ongoing forensic investigation."
The People’s Republic of China (PRC)-affiliated hackers were said to have broken into employee workstations, obtaining the documents from both desktop and laptop computers using a stolen API key to the cloud-based tech support platform.
About 100 government computers were found to have been involved in the attack, although the investigation is still ongoing, the unnamed US official was reported as saying.
Accessed documents included “drafts and notes for policy decisions, itineraries and travel planning documents for Treasury leaders, as well as some internal communications,” Bloomberg said, adding that the Department’s email and classified systems were left untouched.
Furthermore, BeyondTrust said, in a statement on its website, that as soon as it became aware of the incident, it immediately revoked access to the API key and has since patched the medium-risk vulnerability.
US lawmakers want answers
The Treasury had announced the breach to the US Senate Committee of Banking, Housing, and Urban Affairs in a letter on December 30th, labeling the cyberattack as a “major incident” under US Treasury guidelines.
Senator Tim Scott (R-SC), a ranking member of the Committee, has requested a January 10th briefing from the Treasury Secretary on the specifics of the incident, along with fellow Rep. French Hill (R-AR), the Vice Chair of the House Committee on Financial Services.
“The fact that a CCP-sponsored APT actor was able to access Treasury’s information systems is unacceptable and raises serious questions about the protocols for safeguarding sensitive federal government information from future cybersecurity incidents,” the letter addressed to Secretary Yellen stated.
.@SenatorTimScott & @RepFrenchHill are demanding answers from @USTreasury following the China state-sponsored cybersecurity breach this week.
undefined U.S. Senate Banking Committee GOP (@BankingGOP) January 2, 2025
Their letter calls for a detailed briefing & expresses concerns with the department's protocols for safeguarding sensitive information ⬇️ pic.twitter.com/jM7rNqP9qt
The Republican lawmakers also pointed out that the “Treasury maintains some of the most highly sensitive information on US persons throughout government, including tax information, business beneficial ownership, and suspicious activity reports.”
Additionally, BeyondTrust holds more than $4 million worth of contracts with the federal government, Bloomberg said, including with the Department of Defense, Department of Veterans Affairs, and the Department of Justice.
Beijing has denied responsibility for the hacks, calling the allegations a “smear attack against China without any factual basis.”
Your email address will not be published. Required fields are markedmarked