Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents

In December 2024, the U.S. Treasury Department disclosed a “major cybersecurity incident” where suspected Chinese threat actors gained unauthorized access to unclassified documents and some department computers through a compromised API key from their third-party software provider, BeyondTrust. The breach, which was discovered on December 8, involved attackers exploiting BeyondTrust’s Remote Support SaaS service to override security measures and remotely access Treasury Departmental Offices workstations. While the Treasury Department has since taken the affected service offline and is working with CISA and the FBI on the investigation, China’s foreign ministry has denied any involvement in the incident. BeyondTrust has acknowledged the breach, revoked the compromised API key, and identified two security vulnerabilities in their products, with one already being actively exploited in the wild.​​​​​​​​​​​​​​​​