Lawmakers are asking the Treasury Department for more details on a recent China-connected cyber breach, including whether the agency was aware of potential vulnerabilities in the third-party vendor at the center of the Treasury hack.

In a Jan. 2 letter to Treasury Secretary Janet Yellen, Sen. Tim Scott (R-S.C.) and Rep. French Hill (R-Ark.) call the recent breach “extremely concerning.” Treasury had earlier disclosed to lawmakers that a China-linked Advanced Persistent Threat group remotely accessed some agency workstations and unclassified documents after compromising BeyondTrust, a software vendor.

“The fact that a CCP-sponsored APT actor was able to access Treasury’s information systems is unacceptable and raises serious questions about the protocols for safeguarding sensitive federal government information from future cybersecurity incidents,” Scott and Hill wrote in the letter.

Scott is now chairman of the Senate Committee on Banking, Housing and Urban Affairs, while Hill is the new chairman of the House Financial Services Committee.

The pair are asking Yellen to brief their committees by Jan. 10 on when and how the hack occurred; the type and extent of information accessed by the group; and whether Treasury was aware of any cybersecurity vulnerabilities related to BeyondTrust prior to the incident.

They also want to know the steps Treasury is taking to prevent similar cyber incidents in the future.

In a Dec. 30 letter to lawmakers, Treasury said it was notified by BeyondTrust about the incident on Dec. 8. The company told the agency that the hackers gained access to a key used by the vendor to provide remote technical support to Treasury offices.

“With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury [department office] user workstations, and access certain unclassified documents maintained by those users,” the agency added.

Treasury said it was working with the Cybersecurity and Infrastructure Security Agency, the FBI, the intelligence community and “third-party forensic investigators” to determine the “overall impact” of the incident.

“The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information,” the agency wrote.

In a Jan. 2 email, a spokesman for CISA told Federal News Network that “at this time, CISA cannot comment on the extent or scope of the Treasury hack.”

Cyber supply chain security implications

While the investigation is in its early stages, the Treasury incident will likely lead to further questions about how the government ensures the security of its third-party technology service providers.

BeyondTrust provides identity and access security services to customers like Treasury. In a statement, a company spokesman said it identified and took measures to address a security incident in early December involving BeyondTrust’s remote support product.

“BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then,” the spokesman said. “No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”

In an advisory posted to its website, BeyondTrust said it detected “potentially anomalous behavior” tied to one customer instance of its remote support software-as-a-service on Dec. 2.

By Dec. 5, the company had confirmed the anomalous behavior and determined that an application programming, or API, key used to provide remote support had been compromised.

“A thorough investigation into the cause and impact of the compromise is underway with a recognized third-party cybersecurity and forensics firm,” the company wrote. “Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted.”

BeyondTrust also identified a critical vulnerability within its remote support and privileged remote access products on Dec. 16. CISA added the bug to its “Known Exploited Vulnerabilities” catalog Dec. 19. Agencies were required to patch it by Dec. 27.

Jason Weiss, public sector chief technology officer at Second Front Systems, said the incident raises questions about how BeyondTrust’s API key was stolen, how long it was valid for, and what kind of access it provided to hackers once compromised.

Weiss also pointed out that compliance programs like the Federal Risk and Authorization Management Program (FedRAMP) and the secure software development attestation form don’t typically address API security.

“I think this is a call to action for programs like FedRAMP to appreciate that we need to start looking more holistically at the architecture of APIs, with more and more systems being coddled together by linking them through APIs,” Weiss said. “It’s sort of a gray, fuzzy area that’s easy to fall under the radar.”

A stolen digital signing key also played a pivotal role in the summer 2023 Microsoft Exchange hack. In that incident, China-linked hackers used a 2016 Microsoft cryptographic key to forge access to the email accounts of high-level Commerce and State Department officials.

The Cyber Safety Review Board, in its March 2024 report on the Exchange intrusion, recommended agencies strengthen compliance requirements around signing keys.

“Cloud services are a critical component of the cybersecurity ecosystem, especially when they protect the most sensitive government data,” the review board’s report states. “However, the board finds that existing compliance requirements for government cybersecurity do not consistently require sound practices around key management or token issuance.”

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.