U.S. Treasury Department Hit by Chinese APT in 'Major' Cyberattack

Update - Earlier in December, a Chinese APT group targeted the U.S. Treasury Department in a cyberattack that enabled the attackers to access certain user workstations and unclassified documents. The Treasury Department first became aware of the cyberattack on Dec. 8, but reports of the incident came out on Dec. 30 after the Treasury Department disclosed the hack in a letter to U.S. lawmakers.

Key Details:

• The threat actor accessed a key used by third-party software service provider, BeyondTrust, to secure a cloud-based service. This service was used to provide remote technical support for Treasury Department end users

• The attackers used the access to the stolen key in order to override the service’s security, and remotely access end user workstations and “certain unclassified documents maintained by those users”

• The letter attributed the attack to a China state-sponsored APT actor, and stressed that “intrusions attributable to an APT are considered a major cybersecurity incident”

Why It Matters: Although there currently aren’t further details about the specific Chinese APT group behind this attack, the Treasury Department’s incident comes as the U.S. government struggles to deal with espionage attacks by Chinese threat actors in recent months. One of the more high-profile incidents has been a breach by Salt Typhoon of nine telecommunication companies, which involved communications of U.S. government officials and political figures.

The Background: The letter did not say how the threat actors were able to initially access the key. BeyondTrust first notified the Treasury Department about the incident on Dec. 8, 2024. The company issued a security alert earlier in December warning of an “incident that involved a limited number of Remote Support SaaS customers.” According to the alert, anomalous behavior was first detected Dec. 2, and on Dec. 5 an analysis identified that an API key for Remote Support SaaS had been compromised.

When asked for comment on the Treasury Department incident, a BeyondTrust spokesperson provided the following statement on Tuesday:

“BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts. BeyondTrust posted information regarding the incident and the on-going investigation on its website on December 8, 2024, including a summary, timeline, and indicators. The security advisory has been updated since then as part of BeyondTrust’s commitment to updating customers through the completion of this matter.” 

What’s Next: The U.S. government is still trying to determine the full impact of the incident, and the letter did not specify the nature of the unclassified documents that were accessed. The Treasury Department said it is continuing to work with CISA, the FBI and third-party forensic investigators, and that it plans to make more details available in a 30-day follow-up report.

Meanwhile, the compromised service from BeyondTrust was taken offline, and the U.S. said that at this time there’s no evidence showing that the threat actor continues to have access to Treasury information. 

This article was updated on Dec. 31 with a statement from BeyondTrust.