(Bloomberg) — Chinese state-sponsored hackers who breached the US Treasury Department got into more than 400 laptop and desktop computers, taking particular interest in the machines of staff and senior leaders focused on sanctions, international affairs and intelligence, according to an agency report reviewed by Bloomberg News.
Most Read from Bloomberg
The hackers accessed employee usernames and passwords, as well as more than 3,000 files on unclassified computers, the report said. That included policy and travel documents, organizational charts, material on sanctions and foreign investment, and “Law Enforcement Sensitive” data. The perpetrators likely stole material but appear not to have gotten into Treasury’s classified or email systems, according to the findings.
The report, which is dated Wednesday and addressed to members of Congress, offers the fullest picture to date of what US officials say was a foreign rival’s intrusion into an agency central to managing the national debt, issuing sanctions and shaping US economic policy.
There’s no evidence that the hackers tried to lurk in Treasury’s systems for longer-term intelligence gathering, the report states, adding that there was no evidence of malware on the compromised devices.
Treasury spokesperson Chris Hayden declined to comment Wednesday. FBI representatives didn’t immediately respond to a request for comment.
On Dec. 8, software contractor BeyondTrust Corp. notified the Treasury that the department had been breached through a hack of the company’s networks. The department reported the breach to the Cybersecurity and Infrastructure Security Agency within an hour of confirming it, the report states, and later sought help from the FBI, intelligence agencies and other incident response groups.
Investigators attributed the hack to a Chinese state-sponsored actor known among cybersecurity professionals as Silk Typhoon and UNC5221, according to the report. They found that the hackers prioritized the collection of documents and operated outside of normal working hours to avoid detection, the report said.
Chinese officials have long denied US allegations of state-sponsored cyberattacks, and a Foreign Ministry spokesperson last month called the claims that it was behind the Treasury hack “unwarranted and groundless.”
Story continues
The hackers accessed a total of 419 computers from late September through mid-November and took primary interest in the Office of Foreign Assets Control, the Office of International Affairs, and the Office of Intelligence and Analysis, the report states. It says they also focused on “certain senior officials” in the Treasury Department’s front office and also took employees’ personal financial documents, banking and insurance records.
Counterintelligence officials are still conducting a “comprehensive damage assessment,” the report states.
Treasury employees are set to brief staff for the Senate Committee on Banking, Housing and Urban Affairs on Thursday, a Senate aide told Bloomberg News. Republican Senator Tim Scott from South Carolina, who chairs the committee, had originally asked the briefing to occur by Jan. 10. Treasury first informed Congress of the breach in a Dec. 30 letter, characterizing it as a “major cybersecurity incident.”
After learning of the breach, Treasury staff disconnected BeyondTrust’s systems, which remain offline, according to the agency. The Johns Creek, Georgia-based company holds contracts with the federal government worth more than $4 million, according to government data compiled by Bloomberg.
In its report to Congress, Treasury said it was looking at alternatives to BeyondTrust. “While Treasury has no immediate knowledge of hygienic failures that may have contributed to the compromise of BeyondTrust, we believe we should examine the marketplace,” the report states.
BeyondTrust didn’t immediately respond to a request for comment.
Most Read from Bloomberg Businessweek
©2025 Bloomberg L.P.