The United States Treasury Department said it suffered a “major cybersecurity incident” that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the department said in a letter informing the Senate Committee on Banking, Housing, and Urban Affairs.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
The federal agency said it has been working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and that available evidence points to it being the work of an unnamed state-sponsored Advanced Persistent Threat (APT) actor from China.
The Treasury Department further said that it has taken the BeyondTrust service offline, adding there is no evidence that the threat actors have access to the environment. It did not share any indicators of compromise that China is responsible for the hack, nor specify when and for how long the breach occurred.
China’s foreign ministry spokesperson Mao Ning denied claims of targeting the Treasury Department. “On this kind of unwarranted and groundless allegations, we’ve made clear our position more than once. China opposes all forms of hacking, and in particular, we oppose spreading China-related disinformation motivated by political agenda,” Ning said.
Earlier this month, BeyondTrust revealed that it was the victim of a digital intrusion that allowed bad actors to breach some of its Remote Support SaaS instances.
The company said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts. BeyondTrust has yet to reveal how the key was obtained.
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” it said.
The probe has also uncovered two security flaws in Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6), the former of which has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The disclosure comes as several U.S. telecommunication providers have found themselves in the crosshairs of another Chinese state-sponsored threat actor named Salt Typhoon.
Update#
A new report from the Washington Post published on January 1, 2024, revealed that the December cyber attack by Chinese threat actors targeting the Treasury Department breached the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary, citing anonymous U.S. officials.
“The targeting of the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary – developments not previously reported – reflects Beijing’s determination to acquire intelligence on its most significant rival in the global competition for power and influence,” the officials were quoted as saying.
