The Treasury Department said in a letter to lawmakers that a Chinese actor was able to override security with a key used by a third-party service provider. The application offers remote technical support to its employees.
The compromised third-party service, called BeyondTrust, has since been shut down, officials said. There was no evidence that the hacker continued to access Treasury information, the statement continued.
The department said it was working with the Cybersecurity and Infrastructure Security Agency and third-party forensic investigators to determine the overall impact.
Officials said an initial investigation suggested the hack was carried out by an “Advanced Persistent Threat (APT) actor from China.”
“In accordance with Treasury Department policy, intrusions involving APTs are considered a serious cybersecurity incident,” Treasury officials said.
The department learned of the hack on December 8 from BeyondTrust, a spokesperson told the BBC. According to the company, the suspicious activity was first noticed on December 2, but it took the company three days to determine that it had been hacked.
The spokesman said the hacker was able to gain remote access to several Treasury users’ workstations and some unclassified documents stored by those users.
The department did not specify the nature of those files or the time and duration of the breach. They also did not specify the level of confidentiality of the computer systems or the seniority of the employees whose materials were accessed.
Hackers may have been able to create accounts or change passwords in the three days that BeyondTrust was monitoring them.
It is believed that as espionage agents, the hackers were looking for information rather than trying to steal funds.
A spokesman said the Treasury Department “takes all threats against our systems and the data they hold very seriously” and that it will continue to work to protect its data from external threats.
The department’s letter said a supplemental report on the incident would be given to lawmakers in 30 days.
Chinese embassy spokesman Liu Pengyu denied the department’s report, saying in a statement that it may be difficult to trace the origin of the hackers.
“We hope that the relevant parties will be professional and responsible in the characterization of cyber incidents, basing their conclusions on sufficient evidence and not on unfounded assumptions and accusations,” he said.
“The US must stop using cybersecurity to smear and slander China, and stop spreading all kinds of misinformation about so-called Chinese hacking threats.”
It’s the latest high-profile and embarrassing breach in the US to be blamed on Chinese spy hackers.
This follows another hacking of telecommunications companies in December, which potentially breached the data of phone call records in broad sections of American society.
