U.S. Treasury Hacked by Chinese Cyberspies, Documents Exposed

The U.S. Treasury Department confirmed a China-sponsored Advanced Persistent Threat (APT) group gained access to government employee workstations and unclassified documents. The hackers exploited a vulnerability in BeyondTrust's Remote Support SaaS product. The attack marks a significant security incident amid escalating cyber tensions between the U.S. and China.

Incident discovery

BeyondTrust, a provider of secure remote access and privileged access management solutions, disclosed that the breach originated from a compromised API key used in its Remote Support SaaS product. The incident was detected on December 2, 2024, when anomalous activity was flagged by the company's Information Security team. By December 5, BeyondTrust identified the compromise, revoked the API key, and suspended affected SaaS instances.

The API key allowed attackers to reset passwords for local application accounts, granting unauthorized access to certain government systems. BeyondTrust emphasized that the vulnerability was isolated to its Remote Support SaaS product and did not affect other solutions.

Details of the Treasury breach

The Treasury Department was informed of the breach on December 8. According to its disclosure to lawmakers via a letter seen by The New York Times, the intrusion enabled hackers to access specific workstations and unclassified documents. Senior officials described the attack as espionage-focused, targeting sensitive financial data rather than attempting sabotage.

The Treasury Department oversees critical financial infrastructure, sanctions enforcement, and global economic data, making it a prime target for foreign intelligence agencies. This breach adds to a series of cyber intrusions attributed to Chinese actors, including the earlier compromise of Commerce Secretary Gina Raimondo's email during deliberations on export controls for advanced semiconductors.

BeyondTrust's response

BeyondTrust has since patched the vulnerabilities (identified as BT24-10 and BT24-11) in both cloud-hosted and self-hosted versions of its software. The company engaged a third-party cybersecurity firm to assist in forensic investigations and continues to work with affected customers, including the Treasury Department.

Although the attack has not yet been attributed to specific threat groups, China's Salt Typhoon cyber unit has been spearheading attacks in the U.S. lately. The same hackers have also been implicated in attacks targeting U.S. telecommunications firms, exposing phone records and wiretap data. These operations collectively highlight the persistent and evolving nature of Chinese cyber espionage campaigns against U.S. institutions.