The latest US security breach attributed to systematic attempts by China to compromise US institutions and critical infrastructure has impacted the US Treasury. The intrusion is being billed as “a major cybersecurity incident”.
According to a letter from the US Department of the Treasury: “The threat actor was able to override the service’s security, remotely access certain Treasury Departmental Office user workstations, and access certain unclassified documents maintained by those users… Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.”
In December, the US Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users. The compromised BeyondTrust service has been taken offline and the Treasury reports that at this time there is no evidence indicating the threat actor has continued access to Treasury information.
The Treasury is now working with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence Community, and third-party forensic investigators to fully characterize the incident and determine its overall impact.
Breach was the result of an advanced and persistent threat
The Treasury has classified the breach as a major incident, as it believes the breach to be the result of an advanced persistent threat (APT), typically a state or state-sponsored group gaining unauthorized access to a computer network and remaining undetected for an extended period.
News of the Treasury breach follows hard on a number of recent major security breaches attributed to threat actors sponsored by the Chinese state. The Salt Typhoon hack, reported in November, was also allegedly conducted by a group that has been linked to Chinese intelligence. US Senator Mark Warner called the breach, which compromised outdated US telecoms systems, “the most serious telecoms hack in our history.” The hackers specifically targeted individuals involved in government activity and were able to listen in on conversations between “a number of well-connected Americans,” including President-elect Donald Trump.
The Salt Typhoon hack followed an urgent White House appeal earlier in the year for all US state governors to prepare to cope with their water systems being attacked and taken down by Chinese cyber-attacks.
As threat actors sponsored by the Chinese state appear to be targeting key institutions and individuals in the US via third parties and all kinds of service providers, recent cybersecurity incidents may be taken as further evidence that private and public sector organizations have now become prime targets for cyber-espionage.
