Skip to main content
close search
site logo

BeyondTrust says 17 customers impacted by December cyberattack spree

State-linked hackers were linked to a series of attacks that led to the theft of unclassified data from the Treasury Department.

Published Jan. 24, 2025
David Jones's headshot
Reporter
Statue of Alexander Hamilton.
The exterior of the U.S. Treasury building in Washington, D.C. Chip Somodevilla via Getty Images

BeyondTrust determined 17 customers were impacted in a December attack spree related to the compromise of a Remote Support SaaS API key. 

The attack, attributed to a state-linked threat actor, included the compromise of several offices of the U.S. Treasury Department, where hackers gained access to unclassified data. 

BeyondTrust said it worked with its affected customers to support their respective investigations by providing them with artifacts, logs, indicators of compromise and other information. 

The company said it shared information with law enforcement authorities as well as threat information-sharing groups. BeyondTrust during its investigation into the attack also disclosed critical- and medium-severity command injection vulnerabilities that were exploited by the attackers.

A critical vulnerability, listed as CVE-2024-12356, can allow an attacker to execute underlying commands as a site user. The medium severity vulnerability, listed as CVE-2024-12686, requires the attacker to have existing administrative privileges.

BeyondTrust officials have not specifically explained the role of the CVEs in the attack spree, but the company said it patched all SaaS instances of Remote Support and worked to help self-hosted customers do their own patching. 

The Cybersecurity and Infrastructure Security Agency previously added the respective vulnerabilities to the known exploited vulnerabilities list. CISA has also been working with Treasury Department officials to investigate the extent of the agency’s compromise.

Officials have not publicly disclosed the full extent of the attack. However, former Treasury Secretary Janet Yellen admonished officials from the People’s Republic of China over recent cyberattacks against the U.S. and the Treasury Department took action this week against a Shanghai-based actor in connection with the attacks.

The Biden Executive Order on cybersecurity issued last week included provisions to strengthen federal security protocols and also granted more authorities to take action against malicious actors targeting the U.S. 

The administration previously signaled its intent to strengthen federal security practices in response to a series of recent attacks, including the Treasury Department compromise.

Editors' picks

Company Announcements

View all | Post a press release
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.