The U.S. Treasury Department has confirmed it experienced a "major cybersecurity incident," with suspected Chinese threat actors gaining unauthorized access to some of its computers and unclassified documents. The breach was first flagged on December 8, 2024, when the Treasury was notified by its third-party software provider, BeyondTrust, about a security vulnerability.
According to the Treasury’s communication with the Senate Committee on Banking, Housing, and Urban Affairs, a threat actor exploited a compromised key from BeyondTrust's cloud-based service, which is used to provide remote technical support to Treasury Departmental Offices.
With access to the stolen key, the attacker was able to bypass the service’s security and remotely access certain user workstations, gaining access to unclassified documents stored on those devices. The Treasury Department quickly took the BeyondTrust service offline and began working closely with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to investigate the breach.
Initial evidence suggests the attack was carried out by a state-sponsored Advanced Persistent Threat (APT) actor from China, although the Treasury has not officially confirmed the identity of the hackers. In response to the allegations, China’s foreign ministry spokesperson Mao Ning denied any involvement, stating that China opposes all forms of hacking and the spread of misinformation.
BeyondTrust, the third-party vendor at the centre of the breach, also disclosed its own security incident earlier in December, revealing that attackers had gained access to an API key, allowing them to reset passwords for local accounts. The company revoked the compromised key and notified impacted customers, while also taking immediate steps to suspend vulnerable services.
As part of the investigation, two security vulnerabilities in BeyondTrust’s software products were identified and added to CISA's Known Exploited Vulnerabilities catalog. These vulnerabilities are being actively exploited in the wild. The breach follows similar cyber-attacks on U.S. telecommunications companies by another Chinese state-backed actor, Salt Typhoon.
A report published by The Washington Post on January 1 further revealed that the Chinese cyber-attack also targeted the Office of Foreign Assets Control (OFAC) and the Office of the Treasury Secretary, marking a more aggressive effort to obtain sensitive intelligence on the U.S. government. U.S. officials have speculated that the breach reflects China’s ongoing efforts to gather intelligence on its global competitors.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
