> Back to All Posts

US Treasury Department Breached via Remote Support Platform

Chinese state-sponsored hackers infiltrated the U.S. Treasury Department by exploiting a remote support platform used by the agency, according to a letter from the Treasury shared with lawmakers and reported by The New York Times.

The breach was first identified on December 8th by BeyondTrust, a vendor providing privileged access management and remote support SaaS solutions. The Treasury Department confirmed the attackers were part of a Chinese Advanced Persistent Threat (APT) group, classifying the incident as a major cybersecurity event.

BeyondTrust Platform Exploited

Earlier reports revealed that BeyondTrust’s Remote Support SaaS platform was breached. Threat actors used a stolen API key to reset application account passwords, enabling them to escalate privileges and infiltrate systems. During the investigation, BeyondTrust identified two zero-day vulnerabilities—CVE-2024-12356 and CVE-2024-12686—that facilitated the attack.

The hackers exploited these vulnerabilities to gain access to compromised Remote Support instances, including one used by the Treasury Department. Through this access, they remotely infiltrated agency computers and stole documents.

Upon detecting the breach, BeyondTrust disabled all affected instances and revoked the stolen API key to mitigate further damage.

Investigation and Response

The FBI and CISA assisted the Treasury Department in investigating the breach. According to the Treasury, there is no evidence of ongoing access to its systems since the compromised instances were deactivated.

The attack is part of a broader pattern of cyber intrusions attributed to Chinese APT groups. One such group, known as “Salt Typhoon,” has also been linked to breaches of nine major U.S. telecommunications companies, including Verizon, AT&T, and T-Mobile.

Broader Implications

The telecom breaches allowed the attackers to intercept text messages, voicemails, phone calls, and wiretap data of targeted individuals. These incidents prompted CISA to recommend that senior government officials adopt end-to-end encrypted messaging apps, like Signal, to reduce communication interception risks.

In response to the telecom hacks, the U.S. government is reportedly planning to ban the remaining operations of China Telecom in the United States.

Conclusion

This breach highlights the growing cybersecurity challenges posed by state-sponsored threat actors. The Treasury Department incident underscores the importance of securing third-party platforms and addressing vulnerabilities before they are exploited by adversaries.

David McAfee

David McAfee is a seasoned cybersecurity expert with over a decade of experience at VPN Group. Specializing in online privacy and digital security, he has played a key role in developing advanced strategies to protect individuals and organizations from cyber threats.