Computers of Senior US Treasury Leaders Accessed in Latest Hack

(Bloomberg) — Chinese state-sponsored hackers broke into the computers of senior US Treasury Department leaders as part of a recent breach of the agency, according to a US official and another person familiar with the matter.

Most Read from Bloomberg

The hackers were able to access unclassified material stored locally on the senior officials’ computers, which were among the laptops and desktops that were infiltrated, according to the people, who asked not to be named because the investigation is ongoing. They didn’t specify which senior leaders’ computers were breached.

Investigators have so far found roughly 100 government computers that were compromised, according to the US official, who added that the hackers accessed drafts and notes for policy decisions, itineraries and travel planning documents for Treasury leaders, as well as some internal communications. The agency is still assessing what was taken, but the hackers didn’t compromise the department’s email system or classified systems, according to both people.

These details of the breach, which haven’t been previously reported, offer a fuller view of what US officials have said was a foreign rival’s intrusion into an agency central to managing the national debt, issuing sanctions and shaping US economic policy.

Chinese officials have long denied US allegations of state-sponsored cyberattacks, and a Chinese Foreign Ministry spokesperson this week called the claims that it’s behind the Treasury hack “unwarranted and groundless.”

Treasury spokesperson Lily Adams declined to comment on Thursday. In a Dec. 30 letter to Congress reviewed by Bloomberg News, the agency characterized the breach as a “major cybersecurity incident” and said the hackers got in through through a software provider, BeyondTrust Inc. The Georgia-based company sells managed access software and other cybersecurity products.

A Treasury spokesperson previously said the compromised BeyondTrust service had been taken offline, and that there’s no evidence the hackers continue to have access to the department’s information.

The hackers breached the Office of the Treasury Secretary and the Office of Foreign Assets Control, which administers economic sanctions, the Washington Post reported Wednesday.

Information about the Treasury’s sanctions deliberations would have been of high interest to the Chinese government in the past year. While visiting Beijing in April, Treasury Secretary Janet Yellen made clear to her counterparts that Washington would act to sanction Chinese financial firms if they were found financing trade with Russia that bolstered Moscow’s war with Ukraine.

“I stressed that companies, including those in the PRC, must not provide material support for Russia’s war, and that they will face significant consequences if they do,” Yellen told reporters during an April 8 press conference at the US ambassador’s residence in Beijing, using an abbreviation for the People’s Republic of China. “Any banks that facilitate significant transactions that channel military or dual-use goods to Russia’s defense industrial base expose themselves to the risk of US sanctions.”

In the ensuing nine months, the Treasury hasn’t sanctioned any Chinese financial firms.

The attack on the Treasury Department lacked the stealth of previous cyber espionage campaigns blamed on China, including a recent one targeting US telecommunications companies, according to the US official and the person with knowledge of the breach. Rather, the hackers appear to have opportunistically taken what was available to them on the hard drives of the machines they gained access to through the BeyondTrust system, they said. China has denied involvement in the hack of the telecommunications sector.

In the Treasury attack, the hackers illegally accessed a “key used by the vendor to secure a cloud-based service” that, in turn, provides technical support to the department, Treasury said in its letter to Congress. BeyondTrust Inc. informed Treasury of the breach on Dec. 8, according to the letter.

BeyondTrust has said a limited number of customers were involved in the breach, that they had been notified along with law enforcement and the company has been supporting its clients and the investigation. Company spokesman Mike Bradshaw declined further comment on Thursday.

BeyondTrust holds contracts with the federal government worth more than $4 million, according to government data compiled by Bloomberg. In addition to Treasury, the data show, BeyondTrust does business with the Department of Defense, Department of Veterans Affairs and the Department of Justice, along with other agencies.

A Department of Defense spokesperson said Tuesday that it had not received a notification about the breach from BeyondTrust. Officials with the Justice Department and Department of Veterans Affairs haven’t responded to separate requests for comment.

—With assistance from Christopher Condon.