Cyber Incident Victim: Department of the Treasury
Date:
Dec 2024
Location:
United States of America
Summary
Chinese state-sponsored hackers breached the U.S. Treasury Department by compromising a third-party cybersecurity vendor's digital key, enabling unauthorized remote access to departmental workstations and theft of unclassified documents. The incident, attributed to a China-linked Advanced Persistent Threat actor, exploited the vendor's cloud-based technical support service to bypass security controls. Treasury officials confirmed collaboration with federal cybersecurity and law enforcement agencies to assess the intrusion's scope. The involved vendor stated it addressed the security issue, notified affected customers, and supported ongoing investigations. China's government denied involvement, calling accusations unfounded. Cybersecurity analysts noted the attack aligns with established patterns of Chinese operations targeting trusted third-party services to infiltrate high-value entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early December 2024, Chinese state-sponsored hackers breached the U.S. Treasury Department’s security systems by compromising a third-party cybersecurity service provider, BeyondTrust. The attackers gained access to a digital key used by BeyondTrust to secure a cloud-based remote technical support service for Treasury Departmental Offices (DO) end users. This unauthorized access allowed the threat actor to override the service’s security protocols, remotely access certain Treasury DO user workstations, and retrieve unclassified documents maintained by those users. The Treasury Department characterized the event as a "major incident" in a letter to lawmakers disclosed on December 30. BeyondTrust alerted Treasury to the breach on December 8, prompting immediate coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to assess the intrusion’s scope and impact. Treasury officials confirmed the attribution to a China-linked Advanced Persistent Threat (APT) actor based on available indicators but did not disclose further technical specifics or the exact volume of compromised documents.
The incident involved unauthorized access to workstations and documents within the Treasury’s Departmental Offices but did not extend to classified systems or broader departmental infrastructure. BeyondTrust stated it had identified and addressed the security issue in early December, notifying affected customers and law enforcement while supporting investigative efforts. The company published a statement on December 8 acknowledging the compromise of a digital key and later updated it on December 18 without disclosing additional details. China’s foreign ministry and embassy officials uniformly denied involvement, asserting opposition to cyberattacks and rejecting U.S. accusations as unfounded. The breach aligns with documented patterns of operations by People’s Republic of China (PRC)-linked groups, particularly their exploitation of trusted third-party services to infiltrate target networks. Treasury, CISA, and the FBI continued investigating the incident’s full ramifications, though none of the entities provided further public commentary beyond initial confirmations. The compromise underscored persistent vulnerabilities in supply-chain security and the targeting of government agencies through vendor ecosystems.