Chinese APT Targets U.S. Treasury via Third-Party Provider
Chinese state-sponsored hackers successfully breached the U.S. Treasury Department’s security framework this December. The breach was executed through the compromise of BeyondTrust, a trusted third-party cybersecurity service provider. By obtaining a crucial digital key, the attackers were able to override security measures, remotely access Treasury user workstations, and exfiltrate unclassified documents.
Breach background
The threat actors exploited a compromised key from BeyondTrust’s cloud-based support service. They get unauthorized access to Treasury Departmental Offices (DO) user workstations and sensitive unclassified documents. The U.S. Treasury attributes the attack to a China state-sponsored Advanced Persistent Threat (APT) group. BeyondTrust identified the breach on December 8, notified affected customers, and collaborated with U.S. CISA and the FBI to mitigate the impact. China denies involvement, labeling the accusations as unfounded smear attacks.
Tom Hegel from SentinelOne highlights that this breach aligns with a growing trend of PRC-linked groups exploiting trusted third-party services to infiltrate targets. This method underscores the evolving sophistication of cyber threats targeting critical infrastructure through indirect channels.