In late December 2024, senior Treasury Department officials confirmed a significant cyber attack attributed to a China-linked advanced persistent threat. The incident unfolded when cybercriminals exploited a stolen API key from BeyondTrust, a contractor providing remote technical support. This key allowed them to bypass security controls and access unclassified files on Treasury workstations.

Investigators currently estimate that around 100 government computers were compromised, including laptops used by high-ranking officials. The attackers accessed unclassified materials such as policy drafts, travel itineraries, and internal memos but did not penetrate classified systems.

How the Breach Happened: Supply Chain Exposure

The attackers leveraged a supply chain vulnerability in BeyondTrust’s cloud-based support software. This platform enables IT teams to manage systems remotely. On December 2nd, suspicious activity was first detected, and by December 8th, BeyondTrust notified the Treasury Department after confirming the API key had been stolen.

Cybersecurity agencies identified two exploited flaws in BeyondTrust: one critical command injection vulnerability (CVE-2024-12356) and a medium severity flaw (CVE-2024-12686). These vulnerabilities allowed hackers to inject malicious commands and bypass safety protocols.

Scope & Targets: Unclassified, but Sensitive

Although the attackers did not breach classified systems, they accessed sensitive unclassified data. This included internal documents, communications, and planning materials used by senior officials including segments from the Office of Foreign Assets Control, the Treasury Secretary’s office, and the Office of Financial Research.

The compromised site was promptly taken offline, and the stolen API key was revoked. BeyondTrust patched related vulnerabilities across all SaaS and self-hosted instances by mid-December. CISA and the FBI joined the investigation to assess impact and confirm containment.

Designation & Response: “Major Incident”

On December 30, the Treasury officially notified Congress, labeling the breach a “major incident” under the department’s cybersecurity classification. Because of its attribution to a China-linked APT group, the department was required to submit a detailed follow-up report within 30 days.

Lawmakers, including Sen. Tim Scott and Rep. French Hill, pressed the agency for answers, questioning how a state-sponsored actor could access such sensitive systems and inquiring about future safeguards.

Pattern of Cybersecurity Gaps

While CISA confirmed no evidence of spread to other federal agencies, this breach exposed recurring security vulnerabilities, echoing issues like the 2015 OPM hack, also attributed to Chinese threat actors.

The incident emphasized the risk posed by third-party vendors, especially those with privileged access to government systems. Experts argue that despite recent efforts to strengthen cybersecurity, agencies still lack proactive supply chain risk controls and zero trust frameworks.

Next Steps & Policy Implications

Looking ahead, the Treasury is expected to enhance its cybersecurity architecture, likely implementing zero trust models, tightening vendor oversight, and introducing stricter third-party controls. The 30-day Congressional report should offer transparency on mitigation strategies and policy reforms.

More broadly, this breach reinforces the urgent need for federal agencies to address supply chain vulnerabilities and strengthen safeguards, particularly in systems with remote access capabilities.