Chinese threat actors were able to access highly sensitive information held by the US Treasury Department after compromising a third party service used for remote IT support.
On 8 December, cybersecurity firm BeyondTrust warned users it had discovered an API key for its remote support SaaS solution had been compromised.
The stolen key could allow threat actors to trigger password resets for local application accounts, an advisory posted on the firm’s website added, stating it had promptly revoked the key in question.
In an update posted on 18 December, BeyondTrust said its investigation identified two vulnerabilities in its remote support and privileged remote access products.
The first, CVE-2024-12356, was listed as a critical command injection vulnerability with a CVSS score of 9.8.
The other zero day, CVE-2024-12686, was less severe, receiving a medium severity rating of 6.6, and the firm stated both flaws were patched for all cloud instances of the tool, with a patch also available for self-hosted versions too.
“We continue to pursue all possible paths as part of the forensic analysis, including our work with external forensic parties, to ensure we conduct as thorough an investigation as possible. We also continue to communicate and work closely with all known affected customers and will provide updates here until our investigation is concluded,” BeyondTrust stated.
A group of Chinese state-sponsored hackers is said to have used the key to conduct an espionage attack on a number of sensitive offices within the Treasury Department, with the full impact of the breach still being determined.
Cyber espionage the ‘name of the game’ in year to come
In a letter provided to lawmakers, the US Treasury Department stated the attack constitutes a ‘major incident’, explaining the hackers were able to use the key to access workstations as well as “certain unclassified maintained by those users”.
US officials told the Wall Street Journal that the attackers targeted the Office of Foreign Assets Control (OFAC), the body in charge of the nation’s economic sanctions.
The hackers also targeted the Office of Financial Research, sources added. The affected BeyondTrust service has now been taken offline, the Treasury Department confirmed, with no evidence to indicate the attackers have been able to maintain access to Treasury information.
The letter added that the Treasury Department has been working with the FBI, CISA, and third-party investigators to fully understand the incident and assess its impact.
Ian Birdsey, partner and specialist in data protection disputes at law firm Clyde & Co, said this incident signals what he believes will be a continuing trend for the oncoming year of cyber attacks used to further geopolitical objectives.
“Hybrid (cyber based) warfare is the name of the game in 2025 and we’re increasingly seeing nation state backed cyber-attacks being used for intelligence gathering purposes including to accelerate competitive edge, leapfrogging traditional R&D through the acquisition of intellectual property and trade secrets from Western organisations,” he explained.
“This discovery highlights the huge challenge posed by advanced persistent threats (APTs), particularly those backed by nation states. These attacks, often focused on espionage, deploy highly sophisticated and stealthy tactics, making them significantly more difficult to detect.”
Birdsey added that the incident highlights two increasingly common frailties in IT estates leveraged by cyber criminals: insecure software supply chains, and vulnerable remote access tools.
“The incident reflects two recurring vulnerabilities: supply chain risk and weaknesses in remote access software – both frequent avenues for financially motivated cybercriminals. However, no system, vendor, or supply chain is immune to compromise, and once breached, even robust IT security measures can be circumvented,” he noted.
“This incident highlights the importance of focusing on monitoring and detecting unauthorised activity to mitigate the impact of a cyber event, recognising preventative measures can only take organisations so far. Appreciating that it is when, not if, a security incident occurs is a critical mindset change that all organisations need to make.”
