A disclosure notice to the United States Congress on Monday revealed that the US Treasury Department suffered a breach earlier this month that allowed hackers to remotely access some Treasury computers and “certain unclassified documents.”
The attackers exploited vulnerabilities in remote tech support software provided by the identity and access management firm BeyondTrust, and Treasury said in its letter to lawmakers that “the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.” Reuters first reported the disclosure and its contents.
In the notice, Treasury officials said that BeyondTrust notified the agency of the incident on December 8 after attackers were able to steal an authentication key and use it to bypass system defenses and gain access to Treasury workstations.
“The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information,” Treasury assistant secretary for management Aditi Hardikar wrote the lawmakers. “In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”
The disclosure says that Treasury has been collaborating with the FBI, the Cybersecurity and Infrastructure Security Agency, and the intelligence community broadly as well as private “forensic investigators” to evaluate the situation. The Treasury and FBI did not immediately return WIRED’s request for additional information about the breach. CISA referred questions back to the Treasury Department.
In response to questions about the Treasury Department breach notification, BeyondTrust spokesperson Mike Bradshaw said in a statement that, “BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then.”
On December 8, BeyondTrust published an alert that it has continued to update about “a security incident that involved a limited number of Remote Support SaaS customers.” (SaaS stands for “software as a service.”) Though the notification does not say that the US Treasury was one of the impacted customers, the timeline and details appear to line up with the Treasury disclosure, including acknowledgment from BeyondTrust that attackers compromised an application programming interface key.
The BeyondTrust alert mentions two exploited vulnerabilities involved in the situation—the critical command injection vulnerability “CVE-2024-12356” and the medium-severity command injection vulnerability “CVE-2024-12686.” CISA added the former CVE to its “Known Exploited Vulnerabilities Catalog” on December 19. Command injection vulnerabilities are common application flaws that can be easily exploited to gain access to a target’s systems.
“I cannot believe that we’re seeing command injection vulnerabilities in 2024 in any products, let alone a secure remote access product that’s supposed to have additional vetting for use by the US government,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy and a former NSA hacker. “They are some of the easiest bugs to identify and remediate at this point.”
BeyondTrust is an accredited “Federal Risk and Authorization Management Program” vendor, but Williams speculates that it is possible that the Treasury was using a non-FedRAMP version of the company’s Remote Support and Privileged Remote Access cloud products. If the breach actually affected FedRAMP-certified cloud infrastructure, though, Williams says, “it might be the first breach of one and almost certainly the first time FedRAMP cloud tools were abused to facilitate remote access to a customer’s systems.”
