U.S Treasury Department Breach Leaked Over Christmas Break

As reported by Bleeping Computer, Chinese state-sponsored threat actors successfully breached the U.S. Treasury Department after exploiting vulnerabilities in a remote support platform used by the federal agency. The breach was disclosed in a letter sent to lawmakers, which was obtained by The New York Times.

According to the letter, the Treasury Department was first alerted to the intrusion on December 8th by BeyondTrust, the vendor responsible for the compromised remote support platform. BeyondTrust specializes in privileged access management and offers a Remote Support Software-as-a-Service (SaaS) platform that enables remote access to computers.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter states. “In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”

The attack exploited two previously unknown zero-day vulnerabilities—CVE-2024-12356 and CVE-2024-12686—within BeyondTrust’s Remote Support SaaS platform. Threat actors reportedly used a stolen API key to reset application account passwords, granting themselves privileged access to affected systems. BeyondTrust later confirmed that some instances of its platform had been compromised in the attack, which was reported earlier this month by BleepingComputer.

As the Treasury Department relied on one of these compromised instances, hackers gained unauthorized access to agency computers, allowing them to steal sensitive documents. BeyondTrust responded by shutting down all compromised SaaS instances and revoking the stolen API key.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) assisted the Treasury Department in investigating the breach. The agencies have since confirmed that the threat actors no longer have access to the department’s systems following remediation efforts.

Broader Scope of Chinese APT Campaign

The breach is part of a larger wave of cyberattacks attributed to Chinese state-sponsored groups. One such group, identified as “Salt Typhoon” has been linked to recent hacks targeting nine U.S. telecommunications companies, including Verizon, AT&T, Lumen, and T-Mobile. These attacks reportedly gave the threat actors access to sensitive data, including text messages, voicemails, and phone calls of targeted individuals, as well as wiretap information used in law enforcement investigations.

The scope of these telecom breaches extends beyond the U.S., with Salt Typhoon believed to have compromised telecommunications firms in dozens of other countries. In response to these incidents, CISA has advised senior government officials to adopt end-to-end encrypted messaging platforms such as Signal to mitigate risks of communication interception.

The U.S. government is reportedly preparing to ban the last active operations of China Telecom within the country as a direct response to these cyber espionage campaigns.

What Organizations Can Do

To prevent attacks like the one on the U.S. Treasury Department, organizations should adopt a multi-layered cybersecurity approach. Here are five recommendations that you can start implementing today:

Strengthen Vendor and Third-Party Security: Conduct rigorous security assessments of third-party vendors, especially those with access to critical systems. Regularly monitor the dark web for your vendor's credentials, and do your best to ensure they adhere to industry-standard security protocols.

Implement Zero-Trust Access Controls: Adopt a zero-trust framework that requires continuous verification of users and devices before granting access to sensitive data. Enforce the principle of least privilege to minimize the potential impact of compromised accounts.

Enhance Remote Access Security: Deploy multi-factor authentication (MFA) for all remote access tools to add an extra layer of protection. Combine this with endpoint detection and response (EDR) solutions to detect and mitigate threats originating from remote devices.

Proactively Manage Vulnerabilities: Establish a robust vulnerability management program that includes regular patching and penetration testing (ie Penetration Testing as a Service). By identifying and addressing potential weaknesses early, organizations can mitigate risks associated with both zero-day and known vulnerabilities.

Improve Incident Response Readiness: Develop and frequently test an incident response plan to ensure the organization can quickly respond to and contain breaches. Include collaboration with external experts and agencies like CISA for timely support and intelligence sharing.

By implementing some of these measures, organizations can reduce their risk exposure and better protect themselves from sophisticated state-sponsored attacks.