The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able compromise its systems and steal data from workstations earlier this month.
Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a “major cybersecurity incident,” the disclosure letter from the US Department of Treasury said, which was sent to the chairman and ranking member of the Senate committee which oversees the agency.
It explained the adversaries broke into Treasury through a third-party cybersecurity vendor, BeyondTrust, and “…gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter said. “With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
The BeyondTrust website said the company has more than 20,000 customers across more than 100 countries use its privileged remote access tools. The site adds BeyondTrust is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading’s request for comment.
Treasury added it was told by BeyondTrust about the issue on Dec. 8 and, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the compromise, according to the letter.
‘Epic’ Chinese Hack of US Treasury
The revelation that Beijing was able to strike right at the heart of America’s federal capitalist system itself comes as the federal government is still grappling with the sprawling and coordinated Chinese-backed cyberattacks against telecommunications companies in the US. Once inside, hackers from groups including Salt Typhoon accessed call data and text messages of an unknown number of Americans. So far, Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.
While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming Trump administration.
“Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination,” Lawrence Pingree, vice president of Dispersive said in a statement provided to Dark Reading.
He added that it’s still unclear whether the Chinese hackers were able to crack the application’s secrets, or a cryptographic key.
“Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches,” he added.
The breach also shows that cybersecurity vendors remain a favorite targets of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.
“The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust,” Dornbush said. “This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.”
