The Biden administration confirmed on Monday, December 30, that a Chinese state-sponsored hacking group had infiltrated the U.S. Treasury Department, gaining access to government employees’ workstations and unclassified documents. The breach is the latest in a series of sophisticated cyberattacks targeting key U.S. institutions.
In a letter to lawmakers, the Treasury Department revealed that the attack was detected on December 8 by BeyondTrust, a third-party software service provider. The hackers reportedly gained access to a security key that allowed them to remotely access specific Treasury workstations.
“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the Treasury said, describing the intrusion as a “major cybersecurity incident.”
While the precise motives behind the hack remain unclear, senior officials have indicated that it was likely part of an espionage effort, rather than an attempt to disrupt critical infrastructure. The Treasury Department oversees sensitive information related to global financial systems, sanctions, and insights into China’s economic challenges—data of significant interest to Beijing.
This breach follows previous incidents in which Chinese intelligence operatives accessed the email accounts of Commerce Secretary Gina Raimondo and other U.S. officials involved in decisions regarding export controls for advanced technologies. The same hacking group, identified as Salt Typhoon, has also targeted U.S. telecommunications companies, compromising phone conversations, text messages, and an extensive list of phone numbers under surveillance by the Justice Department.
Among the compromised targets were unencrypted communications lines used by top U.S. officials, raising concerns about Beijing’s ability to monitor which Chinese nationals are under investigation by U.S. agencies.
In response to the breach, the Treasury Department has been working closely with the FBI, intelligence agencies, and other cybersecurity experts to assess the extent of the intrusion. The affected service has since been taken offline, and officials believe the hackers no longer have access to Treasury systems.
A Treasury spokesperson emphasized the department’s commitment to securing its systems and data, noting ongoing efforts to strengthen cybersecurity in collaboration with both public and private sectors.
The timing of the breach’s disclosure is particularly sensitive, coming shortly after the U.S. dealt with the Salt Typhoon attack on telecommunications infrastructure. That hack led the Commerce Department to announce a ban on the continued operations of China Telecom in the United States.
Chinese officials have consistently denied involvement in hacking activities, and have engaged in discussions with the U.S. on cybersecurity cooperation. Earlier this month, Treasury representatives visited China to discuss economic and cybersecurity matters, underscoring the ongoing complexity of U.S.-China relations in the digital age.
The Treasury Department has pledged to provide more details about the breach in an upcoming report to Congress.
