US Treasury Department Cyberattack Traced to Chinese State-Sponsored Threat Actors Through Breached Remote Support Platform

December 30, 2024

A cyberattack on the US Treasury Department has been traced back to Chinese state-sponsored threat actors. The breach occurred via a remote support platform provided by BeyondTrust, a company specializing in privileged access management. The Treasury Department alerted lawmakers to the breach, which was initially reported by BeyondTrust on December 8th. The letter sent to lawmakers and quoted by the New York Times reads, "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

The attack was carried out using a stolen API key from BeyondTrust's Remote Support SaaS platform, allowing the threat actors to reset passwords for local application accounts and gain further privileged access. The breach also involved the exploitation of two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, enabling the threat actors to take over Remote Support SaaS instances. As a result, the threat actors could access Treasury Department computers and steal documents remotely.

Upon discovering the breach, BeyondTrust deactivated all compromised instances and revoked the stolen API key. The FBI and CISA assisted in the investigation, and there is no evidence that the threat actors still have access now that the compromised instances have been shut down.

The same threat actors, known as 'Salt Typhoon', have been implicated in recent hacks of nine US telecom companies, including Verizon, AT&T, Lument, and T-Mobile. They reportedly used their access to target the text messages, voicemails, and phone calls of specific individuals, and to access wiretap information of those under investigation by law enforcement. In response to these breaches, CISA has advised senior government officials to switch to end-to-end encrypted messaging apps like Signal. The US government is reportedly planning to shut down the last active US operations of China Telecom as a countermeasure to the telecom hacks.

The State Department has not yet responded to further queries about the breach.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.