You may be alarmed to learn that the US Treasury Department has suffered a significant cyberattack. A China state-sponsored hacker has been linked to the breach, which exploited third-party remote management software. This unsettling incident, first reported by The New York Times, has raised serious concerns about cybersecurity in critical government agencies.
The breach details revealed
On December 8, the Treasury Department received an alert from BeyondTrust, which provides its remote management software. BeyondTrust informed the agency that a threat actor had stolen a key to secure its cloud-based service. This service is vital for technical support to Treasury employees in the Departmental Offices (DO).
The hacker bypassed security measures using the stolen key and accessed user workstations remotely. The breach also allowed them to retrieve “some unclassified documents” stored on these systems. While these documents were not classified, their exposure underscores the severity of the incident.
Following the breach, the Treasury Department immediately sought help from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The incident was attributed to an Advanced Persistent Threat (APT) group with links to the Chinese government.
BeyondTrust’s role in the attack
The attack appears connected to an earlier incident disclosed by BeyondTrust, which affected customers using its remote support software. BeyondTrust revealed that an API key used in its software had been compromised. In response, the company revoked the API key, informed affected customers, and suspended impacted systems.
Despite the swift action, the breach underscores vulnerabilities in third-party software that could impact critical infrastructure. BeyondTrust has yet to provide additional comments on the matter despite outreach from media outlets.
Government response and strengthened defences
Michael Gwin, a spokesperson for the Treasury Department, assured the public that the compromised BeyondTrust service had been taken offline. He confirmed no evidence of ongoing access to Treasury systems or information by the threat actor.
“Treasury takes all threats against our systems and the data it holds very seriously,” Gwin said. He highlighted significant improvements in the agency’s cyber defences over the last four years and reaffirmed its commitment to working with public and private partners to safeguard the financial system.
This breach is a stark reminder of the persistent threats posed by state-sponsored cyberattacks. It also highlights the importance of securing third-party tools, which often serve as entry points for hackers.
