The United States Treasury Department said it suffered a “major cybersecurity incident” that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the department said in a letter informing the Senate Committee on Banking, Housing, and Urban Affairs.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
The federal agency said it has been working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and that available evidence points to it being the work of an unnamed state-sponsored Advanced Persistent Threat (APT) actor from China.
The Treasury Department further said that it has taken the BeyondTrust service offline, adding there is no evidence that the threat actors have access to the environment.
Earlier this month, BeyondTrust revealed that it was the victim of a digital intrusion that allowed bad actors to breach some of its Remote Support SaaS instances.
The company said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts. BeyondTrust has yet to reveal how the key was obtained.
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” it said.
The probe has also uncovered two security flaws in Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6), the former of which has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The disclosure comes as several U.S. telecommunication providers have found themselves in the crosshairs of another Chinese state-sponsored threat actor named Salt Typhoon.
