U.S. Treasury Reports Cyberattack by Chinese Hackers
Meanwhile a 9th company has been added to the list of telecoms struck by China’s ‘Salt Typhoon’ hacking.
The U.S. Treasury Department announced it was hit by a significant cybersecurity breach attributed to a state-sponsored actor from China.
The hackers gained remote access to several Treasury Department workstations and unclassified documents by exploiting vulnerabilities in a third-party software service provider called BeyondTrust.
In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them.
“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter said. “In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”
The Treasury Department said it had worked with the F.B.I., the intelligence community and other investigators to determine the impact of the breach. The compromised service had been taken offline, and there is no evidence that the Chinese state actor still has access to Treasury information, the department said.
The hackers gained access through the department’s cloud-based service for vendor support.
According to the letter to Senate Banking Committee leadership, the third-party software service provider, BeyondTrust, said hackers gained access to a key used by the vendor to secure a cloud-based service that Treasury uses for technical support.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” the Treasury letter said.
BeyondTrust did not immediately respond to a request for comment.
It’s not clear exactly how many workstations were infiltrated. However, the Treasury spokesperson said in the statement that “several” Treasury user workstations were accessed.
The compromised third-party service has since been taken offline, and the situation has been classified as a major security incident.
Along with the FBI, the Department has been working with the Cybersecurity and Infrastructure Security Agency and third-party forensic investigators to determine the breach’s overall impact.
Based on evidence it has gathered so far, officials said the hack appears to have been carried out by “a China-based Advanced Persistent Threat (APT) actor.”
“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” Treasury Department officials wrote in their letter to lawmakers.
It must be noted that BeyondTrust serves over 20,000 customers, including 75% of the Fortune 500, across more than 100 countries. Imagine the amount of this nation’s intellectual wealth now directed to the Chinese.
NEW: #China government hackers breached the @USTreasury through a security vendor
Sounds like it went like this:
STEP 1: First, attackers targeted Treasury vendor @BeyondTrust
STEP 2: Stole #BeyondTrust's key for a remote tech support cloud platform.
STEP 3: Attackers used… pic.twitter.com/jiGXAYDbnN
— John Scott-Railton (@jsrailton) December 30, 2024
This incident is part of the ever-increasing Chinese cyber activities targeting U.S. institutions, including recent breaches of telecommunications networks that allowed access to American officials’ communications. The telecom hacking was named ‘Salt Typhoon“, which we covered in the fall.
There is an update. Officials indicate the breach has been contained but added a 9th target to the last of entities hit by China.
“We detect no activity by nation-state actors in our networks at this time. Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest,” an AT&T spokesperson said.
While only a few cases of compromised information were identified, AT&T was monitoring and remediating its networks to protect customers data, and continues to work with authorities to assess and mitigate the threat, the spokesperson said.
“We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” Verizon’s Chief Legal Officer said in a statement.
An independent and highly respected cyber security firm has confirmed the containment, Verizon said.
On Friday, U.S. officials added a ninth unnamed telecom company to the list of entities compromised by the Salt Typhoon hackers and said the Chinese involved gained access to networks and essentially had broad and full access, giving them the capability to “geolocate millions of individuals, to record phone calls at will.”
Hopefully, under the new Trump administration, our security agencies will have the motivation and talent to prevent these attacks…rather than continuing to focus on conservative citizen activists.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
At what point do we just declare this crap an act of war and retaliate?
Add the state of Rhode Island to the list.
“On Monday, Gov. Dan McKee said his team has identified 650,000 people whose personal information was stolen in the recent cyberattack on the state’s IT system for social services.”
I am a CPA that deals extensively with the IRS. The Irs agents since covid hit, now work from home. So taxpayer calls are routed from the call centers to the agents home and access to confidential tax data is transmitted on phone lines/ internet.
serious questions regarding security
Very good point. Let’s also remember the SSA union got a five year work from home pledge from the Biden WH.
My question would be does all this pass muster under a strict reading of the Privacy Act? IRS and SSA data are a trove of PII (Personally Protective Information) aka any data that could be used to ID you and breach or cause problems elsewhere; phone #, SSA #, address, Name, account #, Financial institution.
All those things have a whole litany of required safeguards not just in physical format but also in digital format. If some gov’t employee is doing telework where can we view the physical PII Policy letters his workplace is required to Post and that it be accessible to the public who’s data is being used in that location?
So, if you have a cell phone, a bank account, or have dealt with the IRS, just assume the Chinese know everything about you?
Almost every Chinese person I meet, it’s always, “Oh! It’s you! Go away!”
“exploiting vulnerabilities in a third-party software service provider called BeyondTrust.”
Damn, that’s practically Biblical.
“IT’S A COOKBOOK!!”
As another wag has already pointed out, don’t worry; the treasury was empty at the time.
Leave a Comment