Skip to main content
close search
site logo
Dive Brief

Treasury Department says state-linked hacker gained access to unclassified data in major attack

The compromise of agency workstations is linked to a previously disclosed compromise of certain BeyondTrust customers.

Published Dec. 31, 2024
David Jones's headshot
Reporter
Statue of Alexander Hamilton.
A statue of the first U.S. Secretary of the Treasury, Alexander Hamilton, stands in front of U.S. Treasury headquarters in Washington, D.C. A state-linked hacker gained access to unclassified Treasury Department data in an attack spree targeting certain BeyondTrust customers, Treasury officials said. Chip Somodevilla via Getty Images

Dive Brief:

  • The U.S. Treasury Department said a state-sponsored hacker gained access to unclassified documents on Treasury Department workstations after obtaining a stolen key a vendor used for cloud-based technical support, according to a letter sent Monday to leaders of the Senate Committee on Banking, Housing and Urban Affairs. 
  • BeyondTrust notified the Treasury Department on Dec. 8 that a hacker used the key to override security protections and gain remote access to the workstations of certain users, according to the letter sent to Sens. Sherrod Brown and Tim Scott, the chairman and ranking member of the committee, respectively. The attack has been attributed to a China-linked threat actor. 
  • Treasury officials have been working with the Cybersecurity and Infrastructure Security Agency, the FBI, intelligence community officials and third-party forensic experts to investigate the incident, according to the letter. The compromised BeyondTrust service has since been taken offline. 

Dive Insight:

On Dec. 8, BeyondTrust said a threat actor gained access to a limited number of RemoteSupport SaaS customers by compromising an API key. The attack was first detected on Dec. 2 and confirmed Dec. 5, according to a blog post from the company.

A BeyondTrust spokesperson on Monday said the company notified the customers involved in the prior incident and has been working with those customers to provide support. The company also contacted law enforcement and has been assisting the investigation, the spokesperson added.

During the investigation into the attack, a critical command injection vulnerability, CVE-2024-12356, with a CVSS score of 9.8, and a medium-severity command injection vulnerability, CVE-2024-12686, were identified. CISA later added CVE-2024-12356 to its known exploited vulnerabilities catalog. 

Scott has requested a briefing from the Treasury Department on the incident and is closely monitoring the situation, according to a spokesperson.

A spokesperson for CISA said the agency would not comment on the scope of the attack and referred all questions to the Treasury Department.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.