US Treasury Department breached through remote support platform

The U.S. Treasury Department has confirmed a cybersecurity breach attributed to Chinese state-sponsored hackers, specifically an Advanced Persistent Threat (APT) group. The breach occurred through a remote support platform provided by BeyondTrust, a vendor that the Treasury uses for privileged access management. The Treasury was first notified of the incident on December 8, 2024, after BeyondTrust discovered that threat actors had exploited vulnerabilities in their Remote Support SaaS platform. These hackers gained access using a stolen API key, allowing them to reset passwords and access sensitive documents remotely. Following the breach, BeyondTrust identified two zero-day vulnerabilities that facilitated the attack and subsequently shut down the compromised instances. The FBI and CISA are involved in the investigation, and there is currently no evidence that the hackers retain access to the Treasury's systems. This incident is part of a broader pattern of attacks linked to the same group, known as "Salt Typhoon," which has also targeted multiple U.S. telecommunications companies. In response to these breaches, CISA has recommended that government officials adopt end-to-end encrypted messaging to enhance security.

- The U.S. Treasury Department was breached by Chinese state-sponsored hackers via a remote support platform.

- The breach was facilitated by vulnerabilities in BeyondTrust's Remote Support SaaS.

- The hackers used a stolen API key to gain privileged access to sensitive documents.

- The FBI and CISA are investigating the incident, and compromised systems have been shut down.

- This breach is part of a series of attacks linked to the "Salt Typhoon" group targeting U.S. telecom companies.