Johns Creek company at center of U.S. Treasury hacking probe

article

A view from the United States Department of the Treasury building in Washington DC, United States on December 30, 2024. The US Treasury Department was cyberattacked by a Chinese state-sponsored actor in early December. In the letter sent to Congress

Expand

JOHNS CREEK, Ga. - Chinese hackers accessed several U.S. Treasury Department workstations and unclassified documents after breaching a third-party software service provider, the department confirmed Monday, calling the incident a "major cybersecurity incident."

The Treasury learned of the breach on Dec. 8, when BeyondTrust, a Johns Creek-based software service provider, reported that hackers had stolen a key used to secure a cloud-based service for remotely providing technical support. The stolen key allowed the attackers to bypass security measures and gain remote access to several employee workstations.

In a statement, BeyondTrust wrote:

"BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts. BeyondTrust posted information regarding the incident and the on-going investigation on its website on December 8, 2024, including a summary, timeline, and indicators. The security advisory has been updated since then as part of BeyondTrust’s commitment to updating customers through the completion of this matter."

"Treasury takes very seriously all threats against our systems, and the data it holds," a department spokesperson said in a statement. "Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors."

In a letter to lawmakers, Aditi Hardikar, an assistant Treasury secretary, said the compromised service had been taken offline and emphasized that "at this time, there is no evidence indicating the threat actor has continued access to Treasury information."

The breach, attributed to Chinese state-sponsored hackers, is being investigated by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and other federal agencies. However, the Treasury has not disclosed how many workstations were accessed or the nature of the documents potentially compromised.

This revelation comes amid ongoing fallout from the Salt Typhoon cyberespionage campaign, which U.S. officials say allowed Chinese operatives to access private texts and phone conversations of an unknown number of Americans. Last week, the White House confirmed that at least nine telecommunications companies were affected by the campaign.

Treasury officials are continuing to assess the impact of the breach and are cooperating with federal cybersecurity agencies to enhance defenses against future threats.

What is BeyondTrust?

BeyondTrust, a cybersecurity company headquartered in Johns Creek, is a global leader in providing solutions for privileged access management (PAM) and vulnerability management. The company specializes in safeguarding organizations from internal and external cyber threats through a comprehensive suite of products and services.

BeyondTrust’s offerings are designed to secure privileged accounts, credentials, and remote access, enabling organizations to reduce risks and enhance their security posture. Its key solutions include:

• Privileged Access Management (PAM): Tools for managing and monitoring privileged accounts, sessions, and credentials to prevent unauthorized access and mitigate insider threats.
• Vulnerability Management: Solutions that identify, assess, and remediate vulnerabilities across IT environments, reducing the attack surface.
• Endpoint Privilege Management: Policies to enforce least privilege access on endpoints, enabling users to perform tasks without full administrative rights, minimizing malware risks.
• Remote Support and Access: Secure tools for IT teams to support and manage remote devices and systems effectively.

BeyondTrust serves a diverse range of industries, including finance, healthcare, government, and retail. The company has built a reputation for its focus on security, innovation, and customer satisfaction, earning recognition as a leader in the cybersecurity sector.

The Salt Typhoon cyberespionage campaign explained

A sophisticated cyber espionage operation, known as Salt Typhoon or Gallium, has been attributed to a group believed to be linked to China, targeting telecommunications companies, finance, and government sectors. The campaign is noted for its persistence, with attackers maintaining long-term access to compromised networks.

Salt Typhoon relies on custom malware and advanced infiltration techniques to breach networks, exfiltrate data, and maintain a foothold within compromised systems. Attackers typically exploit vulnerabilities in internet-facing services and use spear-phishing emails to gain initial access. Once inside, they employ a range of tools to move laterally across networks, escalate privileges, and extract sensitive information.

The campaign is part of a larger trend of state-sponsored cyber espionage efforts aimed at gathering intelligence and achieving strategic advantages. Experts emphasize the importance of robust cybersecurity practices, including regular patching of vulnerabilities, network segmentation, and employee training to recognize phishing attempts, as key defenses against such attacks.