China denies involvement after ‘major’ breach of US Treasury workstations

The Chinese government has denied responsibility after a threat actor breached employee workstations at the US Treasury earlier this month, allowing it to remotely access certain “unclassified” documents.

United States Treasury officials told lawmakers in a Dec. 30 letter that they were informed of the “major incident” by a third-party software service provider BeyondTrust on Dec. 8, according to reports.

“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” said Aditi Hardikar, Assistant Secretary for Management at the US Treasury, in a letter obtained by TechCrunch and other outlets, including CNN. 

China has denied responsibility for the attack, telling Reuters it “firmly opposes the U.S.’s smear attacks against China without any factual basis.”

Meanwhile, the compromised service has since been taken offline, Hardikar told US Senator Sherrod Brown and Ranking Member Tim Scott.

“There is no evidence indicating the threat actor has continued access to Treasury systems or information.”

Treasury officials are working with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigations, US intelligence agencies and third-party forensic investigators to further investigate the incident.

Cointelegraph reached out to the US Treasury but didn’t receive an immediate response.

How the breach happened

BeyondTrust said it identified a security incident in its Remote Support product on Dec. 2, and after “anomalous behavior” was confirmed on Dec. 5, it immediately revoked the API key and notified impacted customers soon after.

“Law enforcement was notified and BeyondTrust has been supporting the investigative efforts,” a BeyondTrust spokesperson told Cointelegraph.

More details will be provided in a 30-day supplemental report that the Treasury is mandated to provide under the Federal Information Security Modernization Act.

It follows the most recent Salt Typhoon breach, where cybercriminals were able to access phone calls and text messages from lawmakers, The Guardian noted.

Related: Chinese hackers use fake Skype app to target crypto users in new phishing scam

Treasury officials are reportedly planning to hold a classified briefing about the breach next week with staffers from the House Financial Services Committee, CNN said.

Hacks ran rampant in the crypto industry this year too, with thieves stealing over $2.3 billion worth of crypto assets across 165 major incidents in 2024, marking a 40% increase compared to 2023, blockchain security firm Cyvers recently reported.

The 40% increase was mainly attributed to the rise of access control breaches, particularly on centralized exchanges and custodian platforms.

Magazine: ‘SEAL 911’ team of white hats formed to fight crypto hacks in real time