Chinese State Cybercriminals Target the US Treasury Department

The US Treasury Department recently disclosed to lawmakers that Chinese state-sponsored hackers breached their systems and stole data in early December 2024. The attack, classified as a "major cybersecurity incident," occurred through a third-party vendor called BeyondTrust, a widely-used privileged remote access tool provider serving 75% of Fortune 100 companies.

The attackers compromised BeyondTrust's API key to gain remote access to Treasury workstations and access unclassified documents. BeyondTrust discovered the compromised key on December 5 and immediately revoked it, while the Treasury was notified on December 8. The FBI and CISA are currently investigating the incident.

This breach comes amid ongoing concerns about Chinese cyber operations, including recent discoveries of Chinese hackers infiltrating nine US telecommunications networks to access call data and text messages. The timing is particularly sensitive given the upcoming presidential transition from the Biden to Trump administration.

Security experts note that this incident highlights two ongoing trends: the diplomatic challenges in addressing Chinese cyber espionage given Beijing's routine denials, and the targeting of cybersecurity vendors themselves. The BeyondTrust breach joins a series of recent attacks on security companies, including Okta, LastPass, SolarWinds, and Snowflake, demonstrating how threat actors increasingly target security vendors as a pathway to their customers' systems.