JOHNS CREEK, Georgia. – Chinese hackers accessed several U.S. Treasury Department workstations and accessed unclassified documents after breaching a third-party software services provider, the department confirmed on Monday, calling the incident a “serious cybersecurity incident.”

The Treasury Department learned of the breach on Dec. 8 when BeyondTrust, a Johns Creek-based software services provider, reported that hackers had stolen a key used to secure a cloud-based service for providing remote technical support. The stolen key allowed the attackers to bypass security measures and gain remote access to multiple employee workstations.

In a statement, BeyondTrust wrote:

“BeyondTrust already identified a security incident related to the remote support product in early December 2024 and took action to resolve it. BeyondTrust notified the limited number of affected customers and has been working to support these customers since then. No other BeyondTrust products.” Law enforcement authorities were notified and BeyondTrust posted the investigative efforts on its website on December 8, 2024. Timeline and indicators Safety notice has since been updated as part of BeyondTrust’s commitment to keeping customers informed until this matter is resolved.”

“Treasury takes all threats to our systems and the data stored within them very seriously,” a department spokesman said in a statement. “Over the past four years, Treasury has significantly strengthened its cyber defenses, and we will continue to work with private and public sector partners to protect our financial system from threat actors.”

In a letter to lawmakers, Aditi Hardikar, a deputy finance minister, said the compromised service had been taken offline and stressed that “there is currently no evidence that the threat actor continues to have access to Treasury Department information.”

The breach, attributed to state-sponsored Chinese hackers, is being investigated by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies. However, the Treasury Department has not disclosed how many jobs were accessed or what type of documents may have been compromised.

This revelation comes amid the ongoing fallout from the Salt Typhoon cyber espionage campaign, which U.S. officials say allowed Chinese agents to access private text messages and phone conversations of an unknown number of Americans. Last week, the White House confirmed that at least nine telecommunications companies were affected by the campaign.

Treasury Department officials continue to assess the impact of the breach and work with federal cybersecurity agencies to improve defenses against future threats.

What is BeyondTrust?

BeyondTrust, a cybersecurity company headquartered in Johns Creek, is a global leader in Privileged Access Management (PAM) and vulnerability management solutions. The company specializes in protecting businesses from internal and external cyber threats through a comprehensive range of products and services.

BeyondTrust’s offerings are designed to secure privileged accounts, credentials and remote access, enabling organizations to reduce risk and improve their security posture. Key solutions include:

• Privileged Access Management (PAM): Tools to manage and monitor privileged accounts, sessions, and credentials to prevent unauthorized access and mitigate insider threats.
• Vulnerability management: Solutions that identify, assess and remediate vulnerabilities in IT environments, reducing the attack surface.
• Endpoint Privilege Management: Policies that enforce least privilege access on endpoints, allowing users to perform tasks without full administrative privileges, thereby minimizing the risk of malware.
• Remote Support and Access: Secure tools for IT teams to effectively support and manage remote devices and systems.

BeyondTrust serves a variety of industries including finance, healthcare, government and retail. The company has made a name for itself through its focus on security, innovation and customer satisfaction and has earned recognition as a leader in cybersecurity.

The Salt Typhoon cyber espionage campaign explained

A sophisticated cyber espionage operation known as Salt Typhoon or Gallium has been attributed to a group believed to be linked to China, targeting telecommunications companies, the financial sector and the government sector. The campaign is notable for its persistence, as attackers maintain long-term access to compromised networks.

Salt Typhoon relies on custom malware and advanced infiltration techniques to penetrate networks, exfiltrate data, and gain a foothold in compromised systems. Attackers typically exploit vulnerabilities in Internet-connected services and use spear phishing emails to gain initial access. Once inside, they use a range of tools to move laterally across networks, escalate privileges, and extract sensitive information.

The campaign is part of a larger trend of state-sponsored cyber espionage efforts aimed at gathering intelligence and gaining strategic advantage. Experts emphasize the importance of robust cybersecurity practices, including regular vulnerability patching, network segmentation and employee training to recognize phishing attempts, as key defenses against such attacks.

Johns CreekData BreachesNewsWashington, DC9-1-1