The attack used a stolen remote support SaaS API key to exfiltrate data from workstations in the Treasury Department’s Office of Foreign Assets Control.
Source: htdarkreading.com