U.S. Treasury Breached via Single Compromised API Key

In December 2024, a Chinese state-sponsored APT group exploited a compromised API key for BeyondTrust's Remote Support SaaS platform to breach the US Department of the Treasury. The attackers leveraged a zero-day vulnerability to obtain an infrastructure API key from a BeyondTrust AWS account, which was then used to compromise a separate AWS account running Remote Support infrastructure.

The result: unauthorized access to over 3,000 unclassified files across 100 Treasury Department computers, including workstations in the Office of Foreign Assets Control (OFAC) and the Office of the Treasury Secretary.

This is a textbook non-human identity breach. No human credentials were phished. No MFA was bypassed. A single API key, a machine identity, provided the attack path into one of the most sensitive government agencies in the world.

API keys do not have MFA. They do not recognize suspicious behavior. They do not expire on their own. They are bearer tokens that grant access to whoever holds them, regardless of context or intent.

This incident demonstrates why non-human identity governance is not optional. Organizations must maintain complete inventories of API keys and service account credentials, enforce rotation policies, implement least-privilege scoping, and monitor for anomalous usage patterns. The Treasury breach was enabled not by the sophistication of the attack, but by the absence of basic NHI lifecycle management.