US Treasury says it was hacked by China in ‘major incident’

Chinese state-sponsored hackers broke into the US Treasury Department’s systems earlier this month and were able to access employee workstations and some unclassified documents, American officials have said.

The Treasury Department deemed the breach a “major incident” after disclosing it via a letter notifying lawmakers to the incident.

The US agency said it had been working with the FBI and other agencies to investigate the impact of the hack.

China denied any involvement, calling the accusation “baseless” and saying it “consistently opposes all forms of hacking”.

It is the latest in a series of high-profile and embarrassing security breaches in the US being blamed on China.

A hack of telecoms companies in December potentially accessed phone record data across large swathes of American society.

The Treasury Department said in its letter to lawmakers that this latest attack involved China-based actors overriding security via a key used by a third-party service provider. The application offers remote technical support to its employees.

The compromised third-party service – called BeyondTrust – has since been taken offline, officials said. There was no evidence to suggest the hacker had continued to access to Treasury Department information since, the statement continued.

The department said it had been working with the Cybersecurity and Infrastructure Security Agency and third-party forensic investigators to determine the overall impact.

Officials said initial investigations suggested the hack appeared to have been carried out by “a China-based Advanced Persistent Threat (APT) actor”.

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” Treasury Department officials said.

The department monitors global financial systems and economies, and in recent years has levied US sanctions against China.

It said it was made aware of the hack on 8 December by BeyondTrust, a spokesperson told the BBC. According to the company, the suspicious activity was first spotted on 2 December, but it took three days for the company to determine it had been hacked.

The spokesperson said the hackers were able to remotely access several Treasury user workstations and some unclassified documents that were kept by those users.

The department did not specify the nature of these files, or when and for how long the hack took place. They also did not specify the level of confidentiality of the computer systems or the seniority of the staff whose materials were accessed.

The hackers may have been able to create accounts or change passwords in the three days that they were being watched by BeyondTrust.

As espionage agents, the hackers are believed to have been seeking information, rather than attempting to steal funds.

The spokesperson said the Treasury Department “takes very seriously all threats against our systems, and the data it holds”, and that it will continue to work on protecting its data from outside threats.

The department letter states that a supplemental report on the incident will be provided to lawmakers in 30 days.

China’s foreign ministry spokeswoman Mao Ning denied the US claims, telling a news briefing: “We have repeatedly stated our position on such baseless accusations lacking evidence.

“China consistently opposes all forms of hacking and firmly rejects the dissemination of false information targeting China for political purposes.”

Earlier, a spokesman for the Chinese embassy in Washington DC told BBC News that the accusation was part of a “smear attack” and made “without any factual basis”.

“The US needs to stop using cyber security to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats,” embassy spokesman Liu Pengyu said.

The US has not supplied any evidence that China is responsible for the hack.