Major Incident at US Treasury: A Threat Actor’s Access to Unclassified Documents
On December 8, the United States Treasury officials were informed by third-party software service provider BeyondTrust of a "major incident" that had occurred earlier this month. This incident resulted in a threat actor breaching employee workstations at the US Treasury, gaining remote access to certain "unclassified" documents.
Attribution to Chinese State-Sponsored APT Actor
According to a letter obtained by TechCrunch and other outlets, including CNN, Aditi Hardikar, assistant secretary for management at the Treasury, stated that based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor. This means that the threat actor is believed to be affiliated with the Chinese government.
Chinese Government’s Response
In response to the allegations, China denied responsibility for the attack, stating that it "firmly opposes the U.S.’s smear attacks against China without any factual basis." Despite this denial, Treasury officials have assured lawmakers that they are working closely with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), US intelligence agencies, and third-party forensic investigators to further examine the incident.
Compromised Service Taken Offline
In an effort to mitigate potential damage, Hardikar informed US senators Sherrod Brown and Tim Scott of the Banking Committee that the compromised service has since been taken offline. Additionally, Treasury officials stated that there is no evidence indicating the threat actor has continued access to Treasury systems or information.
Investigation and Cooperation
Treasury officials are collaborating with various agencies, including CISA, the FBI, and US intelligence agencies, as well as third-party forensic investigators, to examine the incident further. This investigation will provide valuable insights into the methods used by the threat actor and help improve cybersecurity measures within the Treasury department.
BeyondTrust’s Response
BeyondTrust, the software service provider whose Remote Support product was compromised, has confirmed that it identified a security incident in its Remote Support product on December 2. After confirming anomalous behavior on December 5, BeyondTrust immediately revoked the API key and notified impacted customers soon after. Law enforcement was also notified, and BeyondTrust has been supporting the investigative efforts.
Supplemental Report
As required by the Federal Information Security Modernization Act (FISMA), a 30-day supplemental report will be provided to lawmakers detailing further information about the breach.
Recent Cybersecurity Incidents
This incident follows recent cybersecurity breaches in various sectors, including the most recent Salt Typhoon breach, where cybercriminals were able to access phone calls and text messages from lawmakers. Additionally, the crypto industry has seen a significant increase in hacks this year, with thieves stealing over $2.3 billion worth of crypto assets across 165 major incidents in 2024.
Rise of Access Control Breaches
The 40% increase in hacking incidents in the crypto industry can be attributed to the rise of access control breaches, particularly on centralized exchanges and custodian platforms. This trend highlights the need for improved cybersecurity measures within the sector.
Classified Briefing
Treasury officials are reportedly planning to hold a classified briefing about the breach next week with staffers from the House Financial Services Committee. This briefing will provide lawmakers with more information about the incident and help inform future cybersecurity strategies.
Conclusion
The recent US Treasury breach highlights the ongoing threat of cyber attacks, particularly those sponsored by nation-states. As the digital landscape continues to evolve, it is essential for organizations to prioritize cybersecurity measures and stay vigilant against potential threats.
Timeline of Events:
- December 2: BeyondTrust identifies a security incident in its Remote Support product.
- December 5: Anomalous behavior confirmed, API key revoked, and impacted customers notified.
- December 8: Treasury officials informed by BeyondTrust about the "major incident."
- December 30: Letter to US senators describing the breach and attribution.
Key Players Involved:
- Aditi Hardikar, assistant secretary for management at the Treasury
- BeyondTrust, software service provider whose Remote Support product was compromised
- Cybersecurity and Infrastructure Security Agency (CISA)
- Federal Bureau of Investigation (FBI)
- US intelligence agencies
