Treasury Department hacked: Explaining how it happened

Details about the incident

Full details on the incident are still emerging. What is clear is that attackers gained unauthorized access to services used by the U.S. Treasury Department.

The breach allowed attackers to access several Treasury Departmental Offices workstations and unclassified documents through BeyondTrust's remote support SaaS platform. The compromised service was used to provide technical support for Treasury Departmental Offices end users.

Officials at the Treasury Department have publicly stated that the attackers gained access to an unspecified number of unclassified documents maintained by affected users. The Treasury Department also confirmed that, while the breach was significant, there is currently no evidence suggesting continued unauthorized access to its systems after the compromise was discovered and mitigated.

Key aspects of the breach include the following:

• Unauthorized access to Treasury Departmental Offices user workstations.
• Compromise of unclassified documents maintained by affected users.
• Immediate engagement with law enforcement and Cybersecurity and Infrastructure Security Agency (CISA) upon discovery.
• Third-party forensic investigators deployed to assess impact.

How did this attack happen?

BeyondTrust's SaaS platform was being used by the Treasury Department to provide PAM for some Departmental Offices workstations and documents. The attackers were able to exploit a series of previously unknown vulnerabilities in BeyondTrust's remote support software platform to gain access. The remote support platform was used by BeyondTrust to help provide technical support to end users in the Treasury's Departmental Offices.

The attack likely occurred in several stages involving both BeyondTrust and the Treasury Department.

Initial compromise

The attackers likely started out with an initial target enumeration by looking for vulnerabilities that could be exploited. The initial compromise may have occurred by attackers identifying and then exploiting a pair of new vulnerabilities. BeyondTrust has publicly identified a pair of vulnerabilities:

1. CVE-2024-12356. Detailed in the BT24-10 advisory, this is a critical vulnerability allowing unauthenticated remote command execution. That vulnerability could be used by an attacker to load a malicious file.
2. CVE-2024-12686. Detailed in the BT24-11 advisory, this is a medium severity command injection vulnerability. This vulnerability could be used to inject commands into a site.

Key theft

By exploiting the vulnerabilities, the attackers were likely able to steal a cryptographic key used by BeyondTrust. The stolen key allowed attackers to override the service's security protocols.

Treasury exploitation

With the exploited key overriding BeyondTrust's security, the attackers were able to get unauthorized remote access to Treasury Departmental Offices workstations. As a trusted key, the BeyondTrust system was able to access the workstations. That key was exploited by the attackers to access unclassified documents stored on the workstations.

Who was affected?

The overall impact of the BeyondTrust vulnerabilities is not yet known as it likely has wider impact than just the Treasury Department. Looking at the Treasury, there are multiple offices within the department that were reportedly impacted, including the following:

• Office of Foreign Assets Control. Administers and enforces economic sanctions.
• Office of the Secretary of the Treasury. Manages high-level departmental operations.
• Office of Financial Research. Analyzes financial system risk and handles critical financial data and research.

Timeline of attack

While full details on the attack are still emerging, there is some early indication about the progression and timeline of the attack:

• Dec. 2, 2024. BeyondTrust detected initial suspicious activity.
• Dec. 5, 2024. Company confirmed the security breach.
• Dec. 8, 2024. Treasury Department notified of the compromise.
• Dec. 8, 2024. BeyondTrust service taken offline.
• Dec. 16, 2024. BeyondTrust identified BT24-10 vulnerability and provided a patch.
• Dec. 18, 2024. BeyondTrust disclosed BT24-11 advisory with vulnerability and remediation.
• Dec. 30, 2024. Treasury Department notified Congress via a formal letter.
• Jan. 2025. A 30-day supplemental report is expected following guidance from the U.S. Office of Management and Budget.

Who was responsible for the attack?

The Treasury Department has alleged that a People's Republic of China state-sponsored advanced persistent threat (APT) actor led the attack.

It is not immediately clear which specific APT is responsible, though multiple APT groups from China have been actively targeting the U.S. over the past several years. In November 2024, CISA and the FBI reported that the Salt Typhoon China-based APT group had been actively going after U.S. telecommunications providers.

In 2023 and 2024, another China-based group known as Volt Typhoon targeted U.S. infrastructure using exploited small office/home office routers with botnet malware.

What is the impact of this attack?

The full impact remains under investigation, but key concerns include the following:

• Potential access to sensitive Treasury Department documents.
• Exposure of internal communications and policy discussions.
• Possible intelligence gathering about U.S. sanctions planning.
• Compromised security of Treasury's technical infrastructure.

Other related incidents

The Treasury Department breach fits into a broader pattern of sophisticated cyberoperations and supply chain attacks, with many attributed to Chinese state actors. Recent significant incidents include the following:

• Salt Typhoon attacks. In late 2024, the Salt Typhoon APT was able to exploit major U.S. telecommunications providers, including AT&T and Verizon. The attackers were able to access systems used for law enforcement agency requests.
• Volt Typhoon. Throughout 2023 and into 2024, the Volt Typhoon group targeted critical infrastructure organizations, including energy, transportation and water sectors.
• Storm-0558. Microsoft disclosed that Chinese state-sponsored group Storm-0558 compromised cloud email accounts of over 25 organizations, including government agencies. The attackers were able to obtain a signing key allowing them to forge authentication tokens.
• 3CX. In this incident, a unified communication provider 3CX was exploited when attackers were able to compromise a legitimate software installer through a supply chain attack. The attack affected numerous government agencies and businesses.
• Barracuda Email Security Gateway attacks. In late 2023, China-backed threat actors were suspected to be responsible for attacks against Barracuda Email Security Gateway appliances. The attacks affected email security appliances worldwide.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.