BeyondTrust: An Exemplar Breach

Written By Shay Colson

1–6–2025 (Monday)

Hello, Happy New Year, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, January 6, 2025, and I hope that your 2025 is off to a good start.

We’re going to jump right in to the story this week, which revolves around a company called BeyondTrust, the US Department of the Treasury (disclosure, my former employer a couple of lifetimes ago), and - surprising nobody - China.

BeyondTrust: An Exemplar Breach

It was reported as the year wound down - via a letter to Congress, no less - that it suffered a breach earlier that month, where hackers remotely accessed some Treasury computers and “certain unclassified documents.”

From a WIRED article: The attackers exploited vulnerabilities in remote tech support software provided by the identity and access management firm BeyondTrust, and Treasury said in its letter to lawmakers that “the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.”

Reuters had the scoop in terms of reporting, but this item has been widely covered in the tech press and other outlets.

BeyondTrust themselves have a pretty good timeline of the incident, if you’re curious.

The source? A compromised API key.

The attacker? China.

But I don’t want us to focus on either of those, because you’re not in charge of protecting your vendor’s API keys, and you’re not in charge of defeating Chinese cyber efforts.

What you are in charge of, however, is understanding the reach and impact of the third parties that you lean on to run your shop. While the BeyondTrust example gives us some good specifics, I think it’s more helpful to zoom out and think more broadly here.

By more broadly, I mean that you should have an understanding of:

  1. The third-parties (including SaaS vendors) that you are using, specifically those that have your data or access to your systems and networks.

  2. Your playbook if one of these vendors has an incident. It’s not realistic for middle market companies to run things without a significant amount of third-party help - and that makes a lot of sense for a lot of reasons. But the tradeoff here is that you need to understand the response procedures if BeyondTrust or Okta or CrowdStrike or any other industry leading provider has an incident. What does it mean for you? What are you going to do? Have you practiced? Etc.

The nuance that China appears to have been targeting the Office of Foreign Assets Control (OFAC) - and in fact Treasury had just issued new sanctions against a Chinese company for their role in the Flax Typhoon APT - is something that you can also adapt to your own context.

Perhaps this is a “nation state” type of threat that’s relevant to your industry, but maybe you’re simply collateral damage. This might occur in instances where you are using a third party who is the target, or the third party is also used by the ultimate target.

As we’ve seen recently with the zero-days against file transfer platform Cleo, attackers quickly adopt these opportunities to gain footholds and execute attacks.

Your job, again, is to maintain an awareness, understand how you’ll respond, be sure you get updates on the status of events or incident impacting your vendors, and can move in a way that’s appropriate for your organization to minimize impact and overall risk.

No real fundraising updates this week, though the Wall Street Journal did have a good piece on Private Equity’s “Dry Powder Countdown” - noting more than $500B in capital awaiting deployment.

To close, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.wired.com/story/us-treasury-hacked-by-china/

https://www.beyondtrust.com/remote-support-saas-service-security-investigation

https://techcrunch.com/2024/12/30/us-treasury-says-china-stole-documents-in-major-cyberattack/

https://www.theguardian.com/us-news/2024/dec/30/china-treasury-cyberattack

https://www.washingtonpost.com/national-security/2025/01/01/treasury-hack-china/

https://home.treasury.gov/news/press-releases/jy2769

https://www.cybersecuritydive.com/news/cleo-exploited-flaw-file-transfer-software/735664/

https://www.wsj.com/articles/private-equitys-2025-dry-powder-countdown-1fb2a972?st

Shay Colson
Previous

When Does This Become “Our” Breach?
Next

Projections: Cybersecurity In 2025