The US Treasury Department disclosed a significant cybersecurity breach on July 28, 2025, attributed to a China-based state-sponsored hacking group that gained unauthorized access to Treasury workstations and unclassified documents through a compromised third-party service provider.
The attackers compromised BeyondTrust, a cybersecurity service provider, to gain entry into Treasury systems. While the breach did not impact classified information, hackers accessed files related to sanctions, intelligence, and international affairs, including Treasury Secretary Janet Yellen’s computer workstation.
Treasury staff were first notified of the incident by BeyondTrust on December 8, following the discovery of the security compromise. The department immediately coordinated with the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and other intelligence agencies to assess the full scope of the breach and implement security measures.
In response to the attack, the compromised BeyondTrust service was immediately taken offline to prevent further unauthorized access. Treasury officials stated there is currently no evidence that the attackers retain access to department systems, though the investigation remains ongoing.
China’s foreign ministry has denied the allegations, dismissing claims of state-sponsored cyber activities targeting US government institutions. However, the Treasury Department emphasized its commitment to safeguarding US financial systems and maintaining transparency with congressional oversight regarding cybersecurity incidents.
The breach highlights persistent cyber threats facing critical US government institutions and underscores the vulnerability of third-party service providers as potential attack vectors for state-sponsored hackers targeting sensitive government operations.
