TL;DR
- The U.S. Department of the Treasury was targeted in December 2024 by a cyberattack attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) group.
- Hackers exploited command injection vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in third-party vendor BeyondTrust’s remote support software.
- Attackers gained unauthorized remote access to Treasury workstations, retrieving unclassified documents.
- BeyondTrust’s software served as the entry point, but Treasury systems were the focus.
- Just like endpoint and cloud, you need to protect your identity infrastructure. Augment your identity security and prevent incidents like this with risk-based access management and enhanced privileged access security.
***
In December 2024, the U.S. Department of the Treasury fell victim to a sophisticated cyberattack orchestrated by a Chinese state-sponsored APT group. These groups are known for targeting government entities, critical infrastructure and private sector organizations to steal intellectual property and conduct espionage.
Entry point: Vulnerable remote support software
The attackers exploited two command injection vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust’s remote support software. This software is commonly used for remote access and IT support, making it a high-value target. The attackers used the vulnerabilities to bypass authentication, execute unauthorized commands and gain control over connected systems. Using a stolen API key, the hackers accessed Treasury workstations, retrieved unclassified documents and potentially probed other parts of the network.
Tactics point to Chinese state-sponsored APT group
The attack has been attributed to an unnamed Chinese state-sponsored APT group, though China denies involvement. Chinese APT groups have a history of:
- exploiting software vulnerabilities for persistent access
- conducting espionage campaigns against government and defense sectors
- targeting intellectual property from industries like technology and energy.
This breach aligns with previous tactics employed by China state-sponsored APT groups to exploit third-party vulnerabilities and leverage them for broader network infiltration.
Impact and lessons learned
The breach was limited to unclassified Treasury systems, with no evidence of classified data exposure. However, it underscores the importance of reducing your identity attack surface with a defense-in-depth strategy that layers proven security controls over third-party software; for example, MFA or automated privileged access security. This will help you address vulnerabilities swiftly while also placing multiple lines of defense around your privileged access and identities.
If you are assessing your vulnerability to this attack and the APT group’s known tactics, here are a few things you can do:
- Transition to risk-based access management and enhanced privileged access security (PAS).
- Add a PAS layer to your PAM (Privileged Access Management) practice from different vendors.
- Conduct regular vulnerability assessments and always patch vulnerabilities/fix requirements in third-party software quickly.
- Implement zero-trust architecture and MFA.
- Continuously monitor for threats and anomalies around privileged identities; in other words, make sure your SOC or MDR increases the sensitivity level around privileged identities and has all the data and controls to rapidly stop takeovers.
This incident serves as a critical reminder of the risks posed by supply chain vulnerabilities and the need for proactive cybersecurity measures. Request a demo to discover how to augment your identity security and prevent incidents like this.