China Denies Involvement in Major U.S. Treasury Workstation Breach

The Chinese government has firmly denied any involvement in a significant cyberattack on the U.S. Treasury Department, which saw a threat actor breach employee workstations and gain remote access to certain unclassified documents.

The breach was first reported to U.S. lawmakers in a letter dated December 30, where Treasury officials disclosed that they were alerted to the "major incident" on December 8 by BeyondTrust, a third-party software service provider. According to Treasury officials, the attack was attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor, though no direct evidence of Chinese government involvement has been presented.

China has strongly rejected the allegations, with a spokesperson for the Chinese embassy in Washington, D.C., telling Reuters that Beijing "firmly opposes the U.S.'s smear attacks against China without any factual basis."

How the Breach Unfolded

BeyondTrust, which provides remote support services, detected the security incident in its product on December 2. By December 5, the company confirmed "anomalous behavior" and promptly revoked the API key involved. The company then notified its affected customers and informed law enforcement, with BeyondTrust continuing to cooperate with the ongoing investigation.

Aditi Hardikar, the U.S. Treasury's Assistant Secretary for Management, assured lawmakers that the compromised service had been taken offline, and there was no evidence to suggest the threat actor maintained access to Treasury systems or information. However, the breach remains under investigation, with Treasury officials working closely with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), U.S. intelligence agencies, and third-party forensic investigators.

Impact and Investigation

The U.S. Treasury has committed to providing more details about the breach in a 30-day supplemental report, as mandated under the Federal Information Security Modernization Act (FISMA). This follows the recent "Salt Typhoon" breach, where cybercriminals gained access to sensitive communications, including phone calls and text messages from lawmakers.

In response to the breach, Treasury officials plan to hold a classified briefing for staffers from the House Financial Services Committee next week to discuss the incident in more detail.

Broader Cybersecurity Concerns

This breach adds to a growing list of cyberattacks targeting U.S. government and private sector entities. In 2024, cybersecurity threats were rampant across various industries, including the cryptocurrency sector, where hackers stole more than $2.3 billion worth of assets through 165 major incidents. A significant portion of these attacks were attributed to access control vulnerabilities, particularly on centralized exchanges and custodian platforms, according to blockchain security firm Cyvers.

The U.S. Treasury’s ongoing investigation, alongside its collaboration with key cybersecurity agencies, aims to strengthen defenses and prevent future incidents. However, the denial of involvement by China has sparked a larger conversation about the attribution of cyberattacks and the ongoing risks to both governmental and private digital infrastructure.