Explaining the 2024 US Treasury Hack: What Happened?

WRITTEN BY

Corrin Jones

POSTED ON

March 4, 2025

TAGS

Categories: Cybersecurity

SHARING THIS ARTICLE

Explaining the 2024 US Treasury Hack: What Happened?

In what appears to be another escalation of cyber-aggression, a group of China’s nation-state cybercriminals left the US Treasury hacked and the federal government embarrassed. The breach reached the highest levels of the Treasury, including unclassified files related to Secretary Janet Yellen, Deputy Secretary Wally Adeyemo and Acting Under Secretary Brad Smith.

With an FBI investigation underway, reports indicate the incident occurred between September and November 2024. Suspicious activity wasn’t noticed until approximately Dec. 2, according to news reports. Although the threat actors attempted to cover their digital footprint, American cybersecurity professionals were able to attribute the US Treasury breached information to the communist regime.

Treasury Department Hacked: What Files Were Stolen?

US Treasury officials told members of Congress that upwards of 419 treasury computers were compromised, and more than 3,000 files were pilfered by China. Government sources have indicated that the files were of an unclassified nature.

“A threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users,” Aditi Hardika, assistant secretary for management at the U.S. Department of the Treasury, reported to Congress. “With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations and access certain unclassified documents maintained by those users.”

US Treasury Hacked: Methods Used by Advanced Persistent Threats

Breaching the US Treasury is yet another example of the heightened espionage threats to government agencies, critical infrastructure and private sector organizations that work with the Department of Defense, among others. In this particular case, Chinese hackers employed a supply chain attack to infiltrate one of the most heavily defended agencies.

Almost ironically, hackers leveraged a software vulnerability from BeyondTrust, a third-party cybersecurity resource that offers privileged access management (PAM). The PAM approach employs a variety of technologies and processes to control user access to sensitive materials, along the lines of zero trust architecture. Similarly, it is also designed to reduce the risk of unauthorized network access. However, BeyondTrust offers a Remote Support (Software as a Service) SaaS facet that Chinese hackers exploited using classic supply chain attack methods and at least one security misstep.

While the US Treasury hack garners splashy headlines, it’s important to keep in mind the Chinese espionage attack was not limited to a single victim. Supply chain attacks generally cast a wide net. BeyondTrust initially reported that a few of its customers were affected by the insertion of malicious software. Another notable agency that got hit was the Office of Foreign Assets Control. The Office of Financial Research, a subdivision of the US Treasury, appears to have been a primary target. At this juncture, details are beginning to emerge about the latest cyberattack by America’s communist adversary.

How Supply Chain Attacks Work

The hackers who orchestrated the US Treasury cyberattack did not necessarily conjure up a new or innovative scheme. They used advanced but common cybercrime techniques to gain access to the BeyondTrust Remote SaaS platform, which provides technical support to end users such as the Treasury. Threat actors identified a pair of vulnerabilities and exploited them, knowing that government agencies would eventually tap into the SaaS solutions and ultimately compromise their networks.

Supply chain attacks essentially target trusted third-party vendors. Cybercriminals typically sit back and monitor the ransomware or malicious files they insert until they have infected numerous or specific high-profile targets. In many ways, supply chain attacks are a violation of the trusted relationship between vendors and clients. In this instance, a cybersecurity relationship was manipulated between BeyondTrust and the US Treasury, among others. The key components of a supply chain attack involve targeting a weakness, employing an indirect data breach strategy and gaining a broad impact from SaaS users. The supply chain attack has emerged as a trend threatening national security. Less than five years ago, an advanced persistent threat pulled off a massive supply chain attack by exploiting SolarWinds.

US Treasury Attack Mimics SolarWinds

In 2019, SolarWinds was used in a supply chain attack that impacted more than 30,000 private-sector and governmental agencies. Reports indicate the organization provided an intern with login credentials. The individual would later post their username and password on a platform, where hackers stumbled across it. Failing to eliminate outdated login profiles, cybercriminals used the information to gain seemingly legitimate access to SolarWinds. They inserted malware into a software update that would later be disbursed to thousands of customers.

The supply chain attack allowed thieves to sidestep federal agencies touting robust defenses, such as the departments of Homeland Security, State, Commerce and Treasury. Privately run companies such as FireEye, Microsoft, Intel, Cisco and Deloitte were also taken by surprise. The cyberattack was not detected until the following year. Officials estimate the supply chain strategy gave bad actors a full 14 months to probe networks, steal data and learn national security secrets. The US government attributed the SolarWinds supply chain attack to Russia, another global adversary.

What’s particularly concerning is the fact that enemy nations continue to have success using supply chain attacks. Because the tactic is designed to cast a wide net, direct government contractors and peripheral businesses are swept up in the scheme. Given the implementation of the Cybersecurity Maturity Model Certification (CMMC) and other mandates, industry leaders need to be increasingly vigilant about protecting classified and unclassified digital information related to national defense, financial institutions and critical infrastructure.

Was the US Treasury Unprepared for Supply Chain Attack?

Was the US Treasury Unprepared for Supply Chain Attack

There are at least two ways of looking at the recent cyberattack on the US Treasury. One could say that nation-state cybercriminals from rogue countries such as Russia, China and Iran work relentlessly to penetrate networks housing critical information until they gain access. Few would argue against this position. On the other hand, it may also be true that the US Treasury and other agencies have not been proactive enough to prevent two hacks in the last five years. According to Dr. Raphael Yahalom, a research affiliate at the Sloan School of Management, Massachusetts Institute of Technology, the latter may be the larger problem.

“It seems that the Treasury, as most other enterprises and government agencies, was inadequately prepared for such scenarios in multiple important ways,” Dr. Yahalom reportedly said.

These are ways US Treasury cybersecurity lapses may have occurred.

  • Failing to identify BeyondTrust as a possible vulnerability based on its PAM reliance.
  • Failing to employ greater decentralization in applications management.
  • Failing to address the risk of third-party providers.
  • Failing to account for supply chain attacks and others in risk assessment scenarios.

“In general, new cyber risk management paradigms are required in the industry that would enable addressing such requirements in a more effective manner,” Dr. Yahalom reportedly said.

Hindsight, as they say, is a 20/20 exercise. It may not prove fruitful for the Monday morning quarterback, but the cybersecurity professions rely on post-mortem assessments to learn and harden defenses going forward.

Steps Hackers Took to Exploit US Treasury

The immediate information points to sophisticated and well-funded hackers exploiting a BeyondTrust key that allows users to bypass US Treasury security measures. Needless to say, this would largely be considered an unreasonable vulnerability by many cybersecurity professionals. After overcoming BeyondTrust’s protections, Chinese hackers followed through on what appears to be a smartly conceived covert operation.

Officials suspect the cybercriminals are part of a gang known as Silk Typhoon. The hacking gang possesses the nefarious skills and resources to carry out stealthy network intrusions. Once Silk Typhoon manages to get into a system, the online thieves tend to hide in plain sight for long periods of time. They are considered highly sophisticated and difficult to detect. One of the trending theories surrounding the hack is that Chinese officials sought information associated with the Office of Foreign Assets Control related to trade and sanction enforcement.

The working hypothesis points to threat actors searching for supply chain weaknesses that could lead to Treasury computers. As they assessed BeyondTrust, a pair of vulnerabilities likely jumped out to Silk Typhoon. These are the two we know about so far.

  • CVE-2024-12356: This security deficiency gave hackers unauthenticated, remote access, allowing them to load a malicious file, potentially launching a treasury department ransomware attack.
  • CVE-2024-12686: Considered a mid-level security vulnerability, this was used to inject commands into the BeyondTrust site.

After putting these two vulnerabilities to use, Silk Typhoon was able to gain access to a cryptographic key. With the key in hand, the hacking gang overrode the SaaS security measures and struck federal agencies.

US Treasury Attack Timeline

The most notorious hackers have an almost uncanny ability to hide in plain sight for months, even years. The SolarWinds hack was accidentally discovered after 14 months. A massive Marriott hotel group hack reportedly persisted for upwards of four years to the detriment of 133.7 million guest records. Silk Typhoon managed to penetrate BeyondTrust in September, and suspicious digital activity was not detected until Dec. 2, 2004. These are the key dates that followed.

  • Dec. 5, 2024: BeyondTrust confirms platform breach and takes protective measures.
  • Dec. 8, 2024: BeyondTrust notifies the Treasury Department and others of potential compromise.
  • Dec. 8, 2024: BeyondTrust remote service shuts down.
  • Dec. 16, 2024: BeyondTrust identified BT24-10 vulnerability and disburses a software patch.
  • Dec. 18, 2024: BeyondTrust discloses a BT24-11 advisory to customers.
  • Dec. 30, 2024: The US Treasury Department notifies Congress by sending a formal letter.

A 30-day supplemental report is expected that will likely include guidance. The outgoing Biden Administration issued an Executive Order on Jan. 15 in response to the US Treasury hack.

“The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens,” Anne Neuberger, outgoing Deputy National Security Advisor for Cyber and Emerging Technology, reportedly said.

The incoming administration also has a proven track record of taking on nation-state threats. The CMMC, for instance, has been a key component of national security pushed by the last three presidents. That being said, safeguarding national security information has proven something of an uphill battle.

How to Defend Against Supply Chain Attacks

It’s essential to recognize that government agencies and private companies exist in an interconnected digital world with wide-reaching threats. Organizations tend to harden their attack surface, operating under the idea a defined perimeter exists. Nothing could be further from the truth. The US Treasury cyberattack highlights the reasons why multi-faceted cybersecurity measures are needed to protect sensitive, confidential and valuable data. These are methods used to reduce the risk of a supply chain attack.

  • Ongoing Risk Assessments: It’s mission-critical to review potential vulnerabilities associated with your unique supply chain consistently. Having a new set of eyes conducting a review ranks among the best ways to insulate your network.
  • Define Security Methods: Establish clear, company-wide cybersecurity policies and procedures. Human error and deviation from best practices create unnecessary vulnerabilities.
  • Continuous Monitoring: Using AI and machine learning are excellent tools to promote cost-effective 24-hour monitoring. In the event of a data breach, an incident response plan can be brought to bear.
  • Supply Chain Communication: Changes in SaaS and cloud usage can impact others in your orbit. When working with third-party firms and vendors, consider exchanging information and cybersecurity educational resources whenever possible. After all, you are in it together.

It’s also essential to implement cybersecurity strategies such as zero trust architecture and multi-factor authentication. Had BeyondTrust maintained an additional authentication step, the US Treasury hack may have been avoided.

Red River Addresses Supply Chain Cyberattack Threats

At Red River, we understand supply chain attacks lurk in the background. That’s why we collaborate with companies to provide effective, scalable managed IT and cybersecurity consulting. Contact us today by calling or filling out our online form. Let’s get the process started!