{
	"id": "88afc074-72f5-40dc-8734-7b19c597bd2b",
	"created_at": "2026-04-06T00:15:40.238784Z",
	"updated_at": "2026-04-10T03:34:28.291046Z",
	"deleted_at": null,
	"sha1_hash": "682db4dc3237de5e8873008da3ef7e5c3a1f3715",
	"title": "US Treasury Department breached through remote support platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1610927,
	"plain_text": "US Treasury Department breached through remote support platform\r\nBy Lawrence Abrams\r\nPublished: 2024-12-30 · Archived: 2026-04-05 21:48:38 UTC\r\nChinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used\r\nby the federal agency.\r\nIn a letter sent to lawmakers and seen by the New York Times, the Treasury Department warned lawmakers it was first\r\nnotified of the breach on December 8th by its vendor BeyondTrust.\r\nBeyondTrust is a privileged access management company that also offers a remote support SaaS platform that can be used to\r\naccess computers remotely.\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat\r\n(APT) actor,\" reads the letter seen by the New York Times.\r\n\"In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.\"\r\nEarlier this month, BleepingComputer reported that BeyondTrust had been breached, with threat actors gaining access to\r\nsome of the company's Remote Support SaaS instances.\r\nAs part of this breach, the threat actors utilized a stolen Remote Support SaaS API key to reset passwords for local\r\napplication accounts and gain further privileged access to the systems.\r\nAfter investigating the attack, BeyondTrust discovered two zero-day vulnerabilities,  CVE-2024-12356 and CVE-2024-\r\n12686, that allowed threat actors to breach and take over Remote Support SaaS instances.\r\nAs the Treasury Department was a customer of one of these compromised instances, the threat actors were able to use the\r\nplatform to access agency computers and steal documents remotely.\r\nAfter BeyondTrust detected the breach, they shut down all compromised instances and revoked the stolen API key.\r\nThe letter says that the FBI and CISA assisted in the investigation into the Treasury Department breach, and there is no\r\nevidence that the Chinese threat actors still have access to the agency's computers now that the compromised instances were\r\nshut down.\r\nChinese state-sponsored threat actors named \"Salt Typhoon\" have also been linked to recent hacks of nine U.S.\r\ntelecommunication companies, including Verizon, AT\u0026T, Lument, and T-Mobile. The threat actors are believed to have\r\nbreached telecom firms in dozens of other countries.\r\nThe threat actors utilized this access to target the text messages, voicemails, and phone calls of targeted individuals, and to\r\naccess wiretap information of those under investigation by law enforcement.\r\nSince this wave of telecom breaches, CISA has urged senior government officials to switch to end-to-end encrypted\r\nmessaging apps like Signal to reduce communication interception risks.\r\nThe U.S. government reportedly plans to ban China Telecom's last active U.S. operations in response to the telecom hacks.\r\nBleepingComputer sent further questions to the State Department about the breach but has not received a reply yet.\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/\r\nhttps://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/"
	],
	"report_names": [
		"us-treasury-department-breached-through-remote-support-platform"
	],
	"threat_actors": [
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434540,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/682db4dc3237de5e8873008da3ef7e5c3a1f3715.pdf",
		"text": "https://archive.orkl.eu/682db4dc3237de5e8873008da3ef7e5c3a1f3715.txt",
		"img": "https://archive.orkl.eu/682db4dc3237de5e8873008da3ef7e5c3a1f3715.jpg"
	}
}