Chinese state-backed threat actors successfully compromised the US Department of the Treasury’s systems earlier this month, stealing data from workstations, as per a warning issued to lawmakers by the Treasury Department. The breach, attributed to an advanced persistent threat (APT) group, has been classified as a major cybersecurity incident.
The attackers gained unauthorized access to the Treasury’s systems through a third-party cybersecurity vendor, BeyondTrust, exploiting a remote key used by the vendor to secure a cloud-based service utilized for technical support for Treasury Departmental Offices (DO) users. With the stolen key, the threat actors were able to bypass the service’s security measures, remotely access specific Treasury DO user workstations, and retrieve certain unclassified documents maintained by those users.
BeyondTrust, with more than 20,000 customers worldwide, including 75% of Fortune 100 organizations, is a prominent provider of privileged remote access tools. The company was made aware of the breach on December 8 and is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate the incident. A BeyondTrust advisory stated that the company became aware of a compromised API key on December 5, promptly revoking it. Impacted customers have been notified, and remediation efforts are underway.
The breach, labeled as an ‘epic’ Chinese hack of the US Treasury, highlights Beijing’s ability to infiltrate critical systems within the federal government. This incident follows a series of cyberattacks against US telecommunications companies attributed to Chinese-backed hacking groups like Salt Typhoon, which have infiltrated multiple telecom networks in the US, accessing call data and text messages. The complexity of addressing these cyber espionage activities amidst the transition of administrations poses diplomatic challenges, given Beijing’s customary denial of responsibility for such incidents.
Lawrence Pingree, Vice President of Dispersive, emphasized the importance of managing software API access keys securely to prevent breaches of this magnitude. The breach underscores the vulnerability of cybersecurity vendors to sophisticated state-sponsored threat actors, as highlighted by former NSA cyber expert Evan Dornbush. He noted the increasing frequency of attacks targeting security firms like BeyondTrust, Okta, LastPass, SolarWinds, and Snowflake.
Overall, the breach at the US Department of the Treasury serves as a stark reminder of the evolving cybersecurity threats facing government agencies and the critical need for robust security measures to safeguard sensitive data and infrastructure. Advanced threat actors continue to exploit vulnerabilities in IT ecosystems, underscoring the vigilance and diligence required to mitigate cyber risks effectively in today’s digital landscape.