US Treasury Department Hacked: Explore to Know How it Happened

Read Time: 3 minutes

  57 views

A serious cybersecurity breach, reportedly including Chinese state-sponsored hackers, was discovered by the US Treasury Department on December 8, 2024. The US Department of Justice (DoJ) acknowledged the hackers on March 5, 2025, as part of the APT27 cyberattacker organization, also called the Silk Typhoon.

The attackers illegally entered numerous of the agency's offices. An insecure third-party software component employed by the Treasury Department is the cause of the issue. Third-party cybersecurity in privileged access management (PAM) was the origin of the affected software.

 The hack is a different instance of a supply chain attack in which a third-party component is utilized to attack an organization. The attack is also a part of an ongoing cycle in which hackers, reportedly assisted by the People's Republic of China government, are responsible for cyberattacks.

Read: Errors of Memory Limitation in Artificial Intelligence

Key Aspects of the Attack

  • Workstations in the Treasury Departmental Offices were accessed without authorization.
  • Unclassified documents kept by affected users were hacked.
  • Contact the Cybersecurity and Infrastructure Security Agency (CISA) and law enforcement quickly after attack detection.
  • Outside forensic investigators came to determine the impact.

How did this Attack Take Place?

 The Treasury Hack Department was utilizing Beyond Trust's SaaS technology to supply PAM for several Departmental Office workstations and documents. The attackers benefited from many undiscovered defects in BeyondTrust's remote support software platform to get access. Chinese hackers remotely accessed us treasury documents via third-party software.

BeyondTrust employed the remote support platform to assist in giving technical help to end users at the Departmental Offices of the Treasury. The Treasury Department and BeyondTrust were apparently linked in multiple phases of the attack.

First concession

The attackers most likely establish this by providing the initial targets to determine vulnerabilities that may be exploited. It's possible that attackers identified and then took benefit of two new vulnerabilities that led to the initial attack. BeyondTrust has publicly determined two vulnerabilities:

  • CVE-2024-12356: This major vulnerability, which enables unauthenticated remote command execution, is clarified in detail in the BT24-10 advisory. An attacker could install an unwanted file utilizing that vulnerability.
  • CVE-2024-12686: This medium intensity command injection vulnerability is explained in detail in the BT24-11 advisory. Command injection into a website can be accomplished with this vulnerability.

Treasury Exploitation

The attackers obtained unauthorized remote access to the workstations at the Treasury Departmental Offices by utilizing the exploited key to breach BeyondTrust's security. The workstations were reachable to the BeyondTrust system as a reliable key. The attackers employed that key to gain access to unclassified documents that were kept on the workstations.

Attack Timelines

There are some initial indications regarding the attack's timeframe and course, even yet complete information is still being disclosed:

  • December 2, 2024. BeyondTrust identified the first suspicious activity.
  • December 5, 2024. The company's security breach 8, 2024. The compromise was disclosed to the Treasury Department.
  • December 8, 2024. The BeyondTrust service is no longer accessible.
  • December 16, 2024. BeyondTrust identified a vulnerability in BT24-10 and fixed it.
  • December 18, 2024. BeyondTrust discovered the vulnerability and fixed the BT24-11 warning.
  • December 30, 2024. The Treasury Department wrote a formal letter to Congress informing them.
  • January 2025. A 30-day follow-up statement is projected according to the US Office of Management and Budget guidelines.
  • March 5, 2025. The suspected cyberattacker was the target of several US Department of Justice indictments.

What Was Affected?

Since the BeyondTrust vulnerabilities possibly affect more than only the Treasury Department, the full extent of their attack is undiscovered. When it comes to the Treasury, numerous departments were reported affected, such as the following offices:

  • Foreign Assets Control Office
  • Office of the Treasury Secretary
  • Financial Research Office

Who was Responsible?

At first, the Treasury Department hacked by numerous systems. Us treasury says it has been hacked by Chinese hackers, a state-sponsored advanced persistent threat (APT) actor from the People's Republic of China. Chinese hackers treasury department were discovered by investigators.

On March 5, the US Attorney's Office, District of Columbia, officially disclosed a formal indictment that spread on that allegation. According to the indictments, the incident was directly led by the members of the APT27 gang, also regarded as Silk Typhoon.

Additionally, the indictments say that the two were financed and coordinated with the Ministry of State Security (MSS) and the Ministry of Public Security ("MPS") of the People's Republic of China (PRC).

 Over the past several years, a lot of Chinese APT groups have been actively attacking the United States. The FBI and CISA disclosed in November 2024 that the Salt Typhoon, an APT group that occurred in China, had been extensively targeting US telecom companies.

 Another Chinese group, Volt Typhoon, utilized botnet malware to target US infrastructure in 2023 and 2024 by targeting home office and small business routers.

How to Protect from Attacks?

It is crucial to comprehend that public and commercial organizations work in a connected digital environment with vast risks. With an assumption that there is a defined perimeter, organizations often protect their attack surface. It couldn't be closer to reality. The US Treasury intrusion works as a reminder of the requirement for multifaceted cybersecurity measures to secure valuable, sensitive, and private information. These techniques reduce the possibility of an attack on the organizations.

  • Continuous Risk Assessments: You must regularly analyze any weaknesses related to your organization. One of the greatest methods to secure your network is to have a fresh perspective to execute an assessment.
  • Describe Security Techniques: Effectively define the organization's cybersecurity rules and processes. Unnecessary vulnerabilities are developed by human error and departure from standard procedures.
  • Continuous Monitoring: AI and machine learning are excellent ways to support affordable, round-the-clock monitoring. An incident response plan can be utilized in a US treasury breach.
  • Supply Chain Communication: Cloud and SaaS usage improvements may impact those around you. When working with outside companies and suppliers, be careful about sharing data and cybersecurity training resources wherever possible. 

Read Next: Weather 15 Days Utilizing AI-powered GenCast App

Final Words

A cybersecurity breach happened in the US Treasury Department due to a BeyondTrust software fault. APT27, a Chinese state-sponsored hacker collaborative, was responsible for the assault. Hackers recognized unauthorized access to undiscovered documents.

However, they were stopped once they were identified. The event is a reminder of the risks connected with third-party software and supply chain risks. To avoid breaches in the future, powerful cybersecurity procedures are required.

Leave a COMMENT

Your email address will not be published. Required fields are marked *