Treasury workstations hacked by China-linked threat actors | CyberScoop<\/title> <meta name=\"description\" content=\"According to a letter sent to Senate leaders and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Treasury workstations hacked by China-linked threat actors\"> <meta property=\"og:description\" content=\"According to a letter sent to Senate leaders and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-30T21:54:28+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-30T21:54:30+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82998\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82998\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftreasury-workstations-hacked-china-beyondtrust-identity-access-management%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftreasury-workstations-hacked-china-beyondtrust-identity-access-management%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82998 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"27.018867924528\">\n<div class=\"single-article__header-content\" readability=\"36.86974789916\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> According to a letter sent to Senate leaders and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82998\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg 4872w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=2048,1366 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-2.jpg?resize=1264,843 1264w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Treasury officials were notified by BeyondTrust on Dec. 8 that \u201ca threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users.” (Image Via Getty) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"32.697605675436\"><body readability=\"65.90788555478\"><\/p>\n<p>The Department of Treasury was notified earlier this month that several of its workstations were hacked by a group believed to be linked to China, the department confirmed to CyberScoop.<\/p>\n<p>According to a letter sent Monday to leaders on the Senate Committee on Banking, Housing and Urban Affairs and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.<\/p>\n<p>Treasury officials were notified by BeyondTrust on Dec. 8 that \u201ca threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users,\u201d the letter states.<\/p>\n<p>\u201cWith access to the stolen key, the threat actor was able to override the service\u2019s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,\u201d wrote Aditi Hardikar, Treasury\u2019s assistant secretary for management.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>BeyondTrust did not return a request for comment seeking confirmation and further details on the incident prior to publication. <\/p>\n<p>Hardikar wrote that the hacks are being classified as a \u201cmajor incident\u201d under the Federal Information Security and Modernization Act, and the department has been working with the Cybersecurity and Infrastructure Security Agency, the FBI, intelligence agencies, and third-party forensic investigators to scope out the full impact.<\/p>\n<p>\u201cBased on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat actor,\u201d Hardikar wrote.<\/p>\n<p>In response to questions, a Treasury spokesperson said the threat actor was able to remotely access \u201cseveral\u201d Treasury user workstations as well as \u201ccertain unclassified documents\u201d maintained by those users. The unnamed BeyondTrust service was taken offline and the department believes the actor no longer has access to Treasury systems or information.<\/p>\n<p>News of the hacks was first reported by Barron\u2019s and Agency France-Presse.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The incident comes as Washington policymakers are still reeling from a wide-ranging compromise of U.S. telecommunications infrastructure by Salt Typhoon, a hacking group linked to the Chinese government. Those compromises gave Beijing broad access to the phones and communications of high-ranking U.S. officials, including reportedly, incoming President-elect Donald Trump and Vice President-elect JD Vance.<\/p>\n<p>This week, the White House<a href=\"https:\/\/cyberscoop.com\/salt-typhoon-telecom-cybersecurity-gaps-white-house-response\/\"> said<\/a> that while fewer than 100 individuals are believed to have been directly impacted by the Salt Typhoon intrusions, a larger group centered around Washington D.C. may have had their geolocation data stolen, something that could potentially allow Chinese intelligence agencies to identify the phones of additional targets.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7906976744186\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/treasury-workstations-hacked-by-china-linked-threat-actors-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Treasury workstations hacked by China-linked threat actors | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[436,271,117,509],"tags":[245,277,119,511],"class_list":["post-6760","post","type-post","status-publish","format-standard","hentry","category-apt","category-china","category-government","category-treasury-department","tag-apt","tag-china","tag-government","tag-treasury-department"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt\/\" rel=\"category tag\">apt<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/treasury-department\/\" rel=\"category tag\">Treasury Department<\/a>","tag_info":"Treasury Department","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6760"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6760\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6760,"date":"2024-12-30T15:54:28","date_gmt":"2024-12-30T21:54:28","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82998"},"modified":"2024-12-30T15:54:28","modified_gmt":"2024-12-30T21:54:28","slug":"treasury-workstations-hacked-by-china-linked-threat-actors","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/30\/treasury-workstations-hacked-by-china-linked-threat-actors\/","title":{"rendered":"Treasury workstations hacked by China-linked threat actors"},"content":{"rendered":"