The U.S. Treasury Department has confirmed a significant security breach stemming from a compromised third-party software, with evidence pointing to a China state-sponsored hacking group. The incident allowed unauthorized access to some internal systems and documents.

According to a letter to lawmakers, the Treasury Department was alerted to the breach on December 8th by BeyondTrust, the provider of the affected remote management software. The attackers gained access by exploiting a stolen key used to secure a cloud service that provides remote technical support to Treasury Department employees.

The compromised key enabled the hackers to bypass security measures and remotely access user workstations, obtaining some unclassified documents. The department has not released details regarding the nature of the accessed documents.

Following the attack, the Treasury Department collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The compromised BeyondTrust service has been taken offline, and the department stated that there is no evidence of continued access by the threat actor.

This incident appears to be connected to an earlier security breach disclosed by BeyondTrust, which impacted customers using its remote support software. BeyondTrust stated that the attack stemmed from a compromised API key for its remote support software. They revoked the key, notified impacted customers, and suspended the affected instances on the same day.

The Treasury Department emphasized its commitment to cybersecurity and stated that they take all threats seriously. They have also highlighted ongoing efforts to enhance their defenses and collaborate with public and private sector partners to safeguard the U.S. financial system.