Treasury Department breached through BeyondTrust service

The U.S. Treasury Department was breached earlier this month by a Chinese nation-state threat actor that had compromised BeyondTrust's SaaS platform.

In a letter to members of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, the Treasury Department disclosed a "major incident" in which an advance persistent threat (APT) group gained access to its systems. The letter was first reported by Reuters on Monday.

The department said the breach stemmed from a compromised cloud service at BeyondTrust, a privileged access management vendor. BeyondTrust issued a security advisory on Dec. 8 warning that an API key for its Remote Support services had been compromised by threat actors. The vendor said it had detected suspicious activity involving "a limited number of Remote Support SaaS customers."

The Treasury Department's letter to lawmakers confirmed the federal agency was one of those BeyondTrust customers.

"On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users," the letter read. "With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."

It's unclear how BeyondTrust's API key was initially stolen by the threat actors. The vendor earlier this month disclosed two vulnerabilities, tracked as CVE-2024-12686 and CVE-2024-12356, that affected its Privileged Remote Access and Remote Support tools, but BeyondTrust has not specified how the flaws were used in the malicious activity involving the stolen API key.

A BeyondTrust spokesperson provided the following statement to Informa TechTarget's SearchSecurity.

BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts. BeyondTrust posted information regarding the incident and the on-going investigation on its website on December 8, 2024, including a summary, timeline, and indicators. The security advisory has been updated since then as part of BeyondTrust's commitment to updating customers through the completion of this matter.

According to the letter, the Treasury Department took the compromised BeyondTrust service offline and has found no evidence indicating the attackers maintained continued access to the agency's data. The department also said it has been working with CISA, the FBI, the U.S. intelligence community and third-party investigators to analyze the breach and determine the impact.

"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor," the letter read. The department did not identify which APT was responsible.

The breach is the latest in a series of high-profile cyber attacks by state-sponsored hackers tied to the People's Republic of China (PRC). Last month, CISA and the FBI confirmed that PRC-affiliated hackers had breached several U.S. telecommunications providers and accessed systems used for law enforcement agency requests. The agencies said the attacks, which were first reported by The Wall Street Journal, were part of a "broad and significant cyber espionage campaign" that targeted high-value individuals such a government officials.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.