Overview

In December 2024, Chinese state-sponsored hackers infiltrated the U.S. Treasury Department's systems, gaining unauthorized access to the computers of top officials, including Secretary Janet Yellen. This breach, deemed a "major incident" by Treasury officials, compromised over 3,000 unclassified files across 419 workstations.

Details of the Breach

The cyberattack was facilitated through a vulnerability in a third-party vendor, BeyondTrust, which provides cybersecurity services to the Treasury Department. The attackers exploited a stolen API key and two zero-day vulnerabilities—CVE-2024-12356 and CVE-2024-12686—to bypass security measures and gain privileged access to Treasury systems. BeyondTrust detected anomalous activity on December 2, confirmed the breach by December 5, and notified the Treasury Department on December 8.

Impact on Treasury Officials

The hackers accessed unclassified files on the computers of Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Under Secretary Brad Smith. Specifically, fewer than 50 files were accessed on Yellen's machine. The compromised data included sensitive information related to sanctions enforcement and international financial affairs.

Response and Mitigation

Upon discovery, the compromised BeyondTrust service was promptly taken offline. The Treasury Department has been collaborating with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and external forensic experts to assess the full impact of the intrusion. Officials have stated that there is no evidence of ongoing access by the hackers following mitigation efforts.

International Reactions

In response to the breach, Treasury Secretary Janet Yellen raised serious concerns about "malicious cyber activity" by Chinese state-sponsored actors during a virtual meeting with Chinese Vice Premier He Lifeng. The Chinese government has denied any involvement in the attack, with a spokesperson for China's Ministry of Foreign Affairs dismissing the allegations as baseless and politically motivated.

Conclusion

This incident underscores the persistent threat posed by advanced persistent threat (APT) actors linked to nation-states and highlights vulnerabilities in third-party software services used by government agencies. The Treasury Department has emphasized its commitment to strengthening its cyber defenses and reevaluating its reliance on external cybersecurity providers like BeyondTrust.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.