China Denies Involvement in Major Breach of US Treasury Workstations
In a recent incident, a threat actor breached employee workstations at the United States Treasury Department, gaining remote access to certain "unclassified" documents. The Chinese government has denied responsibility for the attack, claiming that it is baseless and unfounded.
Background of the Incident
On December 8th, BeyondTrust, a third-party software service provider, informed Treasury officials about a major security incident involving their Remote Support product. According to reports, the breach occurred on December 2nd, but it wasn’t until December 5th that anomalous behavior was confirmed.
Attribution of the Breach
In a letter obtained by TechCrunch and other outlets, Aditi Hardikar, assistant secretary for management at the Treasury Department, attributed the incident to a Chinese state-sponsored Advanced Persistent Threat (APT) actor. The letter stated:
"Based on available indicators, the incident has been attributed to a Chinese state-sponsored APT actor."
Response from the US Treasury
In response to the breach, Treasury officials have taken immediate action to secure their systems and prevent further unauthorized access. According to Hardikar’s letter, there is no evidence indicating that the threat actor continues to have access to Treasury systems or information.
"We are working closely with our partners at the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, US intelligence agencies, and third-party forensic investigators to thoroughly examine this incident," Hardikar wrote in the letter.
Government Response
The Chinese government has denied any involvement in the attack. According to Reuters, China’s Foreign Ministry spokesperson said that:
"China firmly opposes the U.S.’s smear attacks against China without any factual basis."
Forensic Investigation and Report
BeyondTrust identified a security incident in their Remote Support product on December 2nd and immediately revoked the API key after anomalous behavior was confirmed on December 5th. They notified impacted customers soon after and have been supporting law enforcement efforts.
A 30-day supplemental report will be provided by the Treasury Department under the Federal Information Security Modernization Act, which will provide more details about the incident.
Related Incidents
The breach at the US Treasury follows another high-profile security incident in the Salt Typhoon breach, where cybercriminals accessed phone calls and text messages from lawmakers. This incident highlights the growing concern of cybersecurity threats in the government sector.
Increased Security Threats
The crypto industry has also faced significant security threats this year, with thieves stealing over $2.3 billion worth of crypto assets across 165 major incidents in 2024. According to blockchain security firm Cyvers, the 40% increase in security breaches was mainly attributed to access control breaches on centralized exchanges and custodian platforms.
Future Briefing
Treasury officials are reportedly planning a classified briefing about the breach next week with staffers from the House Financial Services Committee.
What You Need to Know
- A threat actor breached employee workstations at the US Treasury, gaining remote access to certain "unclassified" documents.
- The Chinese government denied responsibility for the attack.
- BeyondTrust identified a security incident in their Remote Support product on December 2nd and immediately revoked the API key after anomalous behavior was confirmed on December 5th.
- A 30-day supplemental report will be provided by the Treasury Department under the Federal Information Security Modernization Act.
Why This Matters
This breach highlights the growing concern of cybersecurity threats in the government sector. It also underscores the importance of robust security measures and incident response planning to prevent and mitigate such attacks.
