Chinese Hackers Breach US Treasury Through Remote Access Platform

Chinese Hackers Breach US Treasury Through Remote Access Platform

Chinese State-Sponsored Cyber Attack Targets U.S. Treasury Department

The U.S. Treasury Department recently fell victim to a sophisticated cyber attack orchestrated by Chinese state-sponsored hackers. The breach occurred through BeyondTrust, a privileged access management company providing remote support services to the federal agency.

The incident, first reported on December 8th, involved attackers exploiting two previously unknown vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust’s Remote Support SaaS platform. Using a stolen API key, the hackers successfully reset passwords and gained privileged access to Treasury Department systems, enabling them to remotely access computers and extract sensitive documents.

The FBI and CISA participated in the investigation, confirming the attack’s attribution to a Chinese Advanced Persistent Threat (APT) group. BeyondTrust has since shut down compromised instances and revoked the compromised API key, effectively terminating the threat actors’ access.

This breach coincides with other significant Chinese state-sponsored cyber operations, notably by the “Salt Typhoon” group, which successfully infiltrated major U.S. telecommunications companies including Verizon, AT&T, and T-Mobile. These attacks enabled access to text messages, voicemails, and phone calls of targeted individuals, as well as law enforcement wiretap information.

In response, CISA has recommended government officials transition to end-to-end encrypted messaging applications, while the U.S. government considers banning China Telecom’s remaining U.S. operations as a countermeasure.

Share This Article