Five things to know about the 'major' hack of the US Treasury Department

The China-related breach is linked to the compromise of BeyondTrust’s remote support tool and reportedly led to the breach of multiple offices within the Treasury Department.

New details have emerged about the China-related breach revealed by the US Treasury Department earlier this week, which the agency called a “major” cybersecurity incident.

The Washington Post reported The hack on Wednesday led to the compromise of several offices within the Treasury Department.

The violation is related to compromise of BeyondTrust’s remote support tool, which the company disclosed in December.

In a letter To lawmakers earlier this week, the Treasury Department said that “based on available indicators, the incident was attributed to a Chinese state-sponsored advanced persistent threat (APT) actor.”

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” specifies the agency.

Here are five things to know about the US Treasury Department hack.

BeyondTrust Compromise

The US Treasury Department said its systems were compromised in connection with the BeyondTrust breach, which the identity and access security provider initially disclosed on December 8.

BeyondTrust previously said in an advisory that a “limited number” of customers were affected by the compromise of its SaaS remote support offering.

The investigation led to the discovery of two vulnerabilities, including one described as “critical”, affecting its products.

In a statement released Thursday, BeyondTrust said it had “previously identified and taken action to resolve a security incident that occurred in early December 2024 involving the Remote Support product.”

“BeyondTrust notified the limited number of customers involved and has been working to support these customers since then,” the company said.

“Major” cyberattack revealed

In a Dec. 30 letter sent to lawmakers, a U.S. Treasury Department assistant secretary revealed that the agency was informed by BeyondTrust on Dec. 8 that it had been hit by the attack, which has since been linked to a hacker group affiliated with China. .

The department was informed that “a malicious actor gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical assistance to end users in Treasury Department Offices (DOs).”

The affected BeyondTrust service has been taken offline and “at this time there is no evidence to indicate that the threat actor has continued to access Treasury information,” said the letter from Aditi Hardikar, assistant secretary in the management of the American Treasury.

Several offices affected

The Washington Post said in its report Wednesday that relevant offices within the U.S. Treasury Department included the Office of Foreign Assets Control (OFAC). The office oversees the administration of economic sanctions, including sanctions against countries as well as individuals.

In addition to the OFAC, the Job reported that the Department’s Office of the Secretary of the Treasury and Office of Financial Research were compromised in the attack.

CRN has contacted the Treasury Department for comment.

Unclassified documents consulted

In his Dec. 30 letter to lawmakers, the Treasury Department official said obtaining the stolen BeyondTrust key allowed the threat actor to remotely access some user workstations and “to access certain unclassified documents kept by these users.

Treasury worked with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as well as the FBI, members of the intelligence community and third-party investigators “to fully characterize the incident and determine its overall impact “, says the letter.

The Chinese government is very interested in obtaining information on possible future sanctions against entities in China, the Job reported, citing US officials.

Prior sanctions against China

In March 2024, OFAC announced sanctions against “actors affiliated with the Chinese state-sponsored APT 31 hacking group.”

These include the Wuhan Xiaoruizhi Science and Technology Company, which the Treasury Department called in a press release a “front company” for China’s Ministry of State Security “that served as a cover for multiple cyber operations malicious”.

OFAC also sanctioned several Chinese nationals at the same time “for their role in malicious cyber operations targeting U.S. entities that operate in U.S. critical infrastructure sectors,” the agency said in the March 2024 press release.