Chinese state-backed hackers have compromised US Treasury computers and accessed unclassified information, after targeting a third-party cybersecurity vendor, it has emerged.
The Treasury confirmed the news in a letter to the Senate Committee on Banking, Housing and Urban Affairs, dated December 30 and shared widely on X (formerly Twitter).
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter revealed.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Read more on US government breaches: Massive Telecom Hack Exposes US Officials to Chinese Espionage
The Treasury said it immediately enlisted the help of the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, intelligence services and third-party investigators, and attributed the attack to “a China state-sponsored Advanced Persistent Threat (APT) actor.”
The compromised BeyondTrust service was taken offline and the Treasury claimed that there’s no evidence to suggest the threat actors have continued access to its networks or sensitive data.
However, Citizen Lab senior researcher John Scott-Railton voiced concerns over the scope of the attack.
“The analogy is: hacker breaks into your plumber’s office and steals master keys to the buildings they service,” he explained on X. “Given BeyondTrust’s big client list, makes one wonder if other customers were targeted.”
NEW: #China government hackers breached the @USTreasury through a security vendor
— John Scott-Railton (@jsrailton) December 30, 2024
Sounds like it went like this:
STEP 1: First, attackers targeted Treasury vendor @BeyondTrust
STEP 2: Stole #BeyondTrust's key for a remote tech support cloud platform.
STEP 3: Attackers used… pic.twitter.com/jiGXAYDbnN
Ian Birdsey, partner at global law firm Clyde & Co, argued that the incident highlights the challenges of supply chain risk and weaknesses in remote access software.
“However, no system, vendor, or supply chain is immune to compromise, and once breached, even robust IT security measures can be circumvented,” he added.
“This incident highlights the importance of focusing on monitoring and detecting unauthorized activity to mitigate the impact of a cyber event, recognizing preventative measures can only take organizations so far. Appreciating that it is when, not if, a security incident occurs is a critical mindset change that all organizations need to make.”
The news comes just weeks after it emerged that Chinese hackers had breached several US telcos, enabling them to access lawmakers’ phone calls and text messages.
BeyondTrust Responds
A BeyondTrust spokesperson told Infosecurity that the firm identified and took measures to address a “security incident” involving its Remote Support product in early December 2024.
“BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then,” they added
“No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”
The firm has posted a security advisory and incident timeline here.