What just happened? The U.S. Treasury Department has fallen victim to a significant cybersecurity breach that it has attributed to Chinese state-sponsored hackers. The hack, described as a “major incident” by Treasury officials, involved the compromise of a third-party cybersecurity service provider, BeyondTrust, and resulted in the theft of unclassified documents.
The breach, which occurred in early December 2024, exploited a vulnerability in BeyondTrust’s remote support product. According to a letter the department sent to lawmakers that was seen by Reuters, the hackers gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. This access allowed the threat actors to bypass security measures, remotely access certain Treasury DO user workstations, and obtain unclassified documents.
Treasury officials were alerted to the breach on December 8, 2024, and engaged the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation to assess the impact. The department has been working with these agencies, as well as the intelligence community and third-party forensic investigators, to understand the full scope of the breach.
“This incident fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services – a method that has become increasingly prominent in recent years,” Tom Hegel, a threat researcher at cybersecurity company SentinelOne, told Reuters.
BeyondTrust acknowledged the security incident in a statement on its website. The company reported that it “previously identified and took measures to address a security incident in early December 2024” involving its remote support product. BeyondTrust also stated that it had notified the limited number of affected customers and law enforcement.
In response to the breach, BeyondTrust has taken several steps to address the vulnerabilities. The company identified a medium-severity vulnerability (BT24-11) and a critical vulnerability (BT24-10) within their remote support and privileged remote access products. They have since patched all cloud instances and released updates for self-hosted versions.
While the full extent of the breach is still being determined, the Treasury Department has confirmed that the compromised BeyondTrust service has been taken offline. At present, there is no evidence indicating that the threat actor still has continued access to Treasury information.
The Chinese Embassy in Washington has denied any involvement in the hack. Beijing “firmly opposes the U.S.’s smear attacks against China without any factual basis,” a spokesperson said.
As the investigation continues, the Treasury Department is expected to provide more details in a 30-day supplemental report, as required under the Federal Information Security Modernization Act of 2014 (FISMA) and Office of Management and Budget (OMB) guidance.
