China-Based Hacker Breaches US Treasury, Steals Sensitive Data

The U.S. Treasury Department has reported a significant security breach by a China-based threat actor who accessed several employee workstations and unclassified documents.  The attack occurred when the hacker infiltrated the third-party remote management software used by the department. According to a letter shared with lawmakers, the breach was detected on December 8, 2024, when BeyondTrust, the company responsible for the software, notified the Treasury Department of the incident.  The hacker gained access to a key used by BeyondTrust to secure a cloud-based service, allowing them to access Treasury employees’ systems and some unclassified documents remotely. The Treasury Department confirmed that the breach was part of a larger cyber attack linked to a China state-sponsored Advanced Persistent Threat (APT) hacker.  In response, the Treasury worked with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate the breach.  The compromised BeyondTrust service was taken offline, and the department stated there was no evidence of continued access by the hacker. This attack appears to be connected to a similar incident disclosed by BeyondTrust earlier in December, where a compromised API key had been used to breach their software.  BeyondTrust quickly revoked the key and notified affected customers, taking immediate steps to limit the damage. In the aftermath, the Treasury Department emphasized the importance of securing its systems and stated that it had been enhancing its cyber defense over the past few years.  The department continues to collaborate with both private and public sector partners to safeguard the financial system from cyber threats.  This incident highlights the ongoing risks posed by state-sponsored cyber attacks, especially on critical infrastructure like the Treasury Department.