Five Things To Know On The ‘Major’ US Treasury Department Hack

The China-linked breach is tied to the compromise of BeyondTrust’s remote support tool and reportedly led to the breach of multiple offices within the Treasury Department.

New details have emerged on the China-linked breach disclosed by the U.S. Treasury Department earlier this week, which the agency characterized as a “major” cybersecurity incident.

The Washington Post reported Wednesday that the hack led to the compromise of multiple offices within the Treasury Department.

The breach is tied to the compromise of BeyondTrust’s remote support tool, which the company had disclosed in December.

In a letter to lawmakers earlier this week, the Treasury Department said that “based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.”

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” the agency said.

What follows are five things to know on the U.S. Treasury Department hack.

BeyondTrust Compromise

The U.S. Treasury Department said its systems were compromised in connection with the breach of BeyondTrust, which the identity and access security vendor had initially disclosed Dec. 8.

BeyondTrust had previously said in an advisory that a “limited number” of customers were affected by the compromise of its Remote Support SaaS offering.

The investigation led to the discovery of two vulnerabilities—one of which is rated as “critical”— affecting its products.

In a statement Thursday, BeyondTrust said that it “previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product.”

“BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then,” the company said.

‘Major’ Cyberattack Disclosed

In a Dec. 30 letter sent to lawmakers, an assistant secretary in the U.S. Treasury Department disclosed that the agency was notified by BeyondTrust on Dec. 8 that it was impacted in the attack, which has since been linked to a China-affiliated hacker group.

The department was informed that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users.”

The affected BeyondTrust service was taken offline and “at this time there is no evidence indicating the threat actor has continued access to Treasury information,” the letter from Aditi Hardikar, U.S. Treasury’s assistant secretary for management, had said.

Multiple Offices Impacted

The Washington Post indicated in its report Wednesday that the affected offices within the U.S. Treasury Department included the Office of Foreign Assets Control (OFAC). The office oversees the administration of economic sanctions, including sanctions against countries as well as individuals.

In addition to OFAC, the Post reported that the Office of the Treasury Secretary and the department’s Office of Financial Research were compromised in the attack.

CRN has reached out to the Treasury Department for comment.

Unclassified Documents Accessed

In its Dec. 30 letter to lawmakers, the Treasury Department official said that obtaining the stolen BeyondTrust key allowed the threat actor to remotely access some user workstations and “access certain unclassified documents maintained by those users.”

Treasury has worked with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well as the FBI, members of the intelligence community and third-party investigators “to fully characterize the incident and determine its overall impact,” the letter said.

The Chinese government is highly interested in obtaining information about potential future sanctions against entities in China, the Post reported, citing U.S. officials.

Prior Sanctions Against China

In March 2024, OFAC had announced sanctions against “actors affiliated with the Chinese state-sponsored APT 31 hacking group.”

Those included the Wuhan Xiaoruizhi Science and Technology Company, which the Treasury Department characterized in a news release as a “front company” for China’s Ministry of State Security “that has served as cover for multiple malicious cyber operations.”

OFAC also sanctioned several Chinese nationals at the same time “for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors,” the agency said in the March 2024 news release.