US Treasury Breached via BeyondTrust’s Remote Support by Chinese State-Sponsored Actors

• The U.S. Treasury Department acknowledged a breach by unidentified Chinese state-sponsored threat actors.
• The attackers employed a compromised remote support platform provided by privileged access management vendor BeyondTrust.
• BeyondTrust’s Remote Support SaaS instances were accessed by exploiting a stolen API key, leading to privilege escalation. 

The U.S. Treasury Department confirmed via an official letter that it was impacted by a major cybersecurity incident orchestrated by Chinese state-sponsored threat actors. The attack was facilitated through a compromised remote support platform.

The platform was provided by BeyondTrust, a privileged access management vendor known for its remote support SaaS services. The Treasury Department learned of the intrusion on December 8 through BeyondTrust’s notification.

Analysis of the attack reveals that threat actors gained unauthorized access to some of BeyondTrust’s Remote Support SaaS instances by exploiting a stolen API key. This allowed the attackers to reset local account passwords and escalate their privileges within the compromised systems.

Further investigation uncovered two critical zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, in BeyondTrust’s Remote Support SaaS platform. These vulnerabilities reportedly allowed attackers to infiltrate the Treasury Department’s systems, access computers remotely, and exfiltrate sensitive documents.

Upon identifying the breach, BeyondTrust took decisive action by shutting down the compromised SaaS instances and revoking the stolen API key to contain the threat. The Treasury’s letter confirmed that the attack carried hallmarks of a Chinese Advanced Persistent Threat (APT) group.

The Treasury Department has since enlisted support from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to assess the damage and bolster its defenses.

The Chinese Embassy in Washington said that Beijing "firmly opposes the U.S.'s smear attacks against China without any factual basis," rejecting responsibility for the hack.

This incident is not an isolated case. Chinese state-sponsored threat actors Salt Typhoon have also been linked to recent attacks targeting nine major U.S. telecommunications companies, including Verizon, AT&T, Lumen, and T-Mobile.