{"id":1390,"date":"2024-12-31T20:47:43","date_gmt":"2024-12-31T20:47:43","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1390"},"modified":"2024-12-31T20:47:43","modified_gmt":"2024-12-31T20:47:43","slug":"us-treasury-department-workstations-breached-in-attack-attributed-to-china","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1390","title":{"rendered":"US Treasury Department workstations breached in attack attributed to China"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US Department of the Treasury revealed on Monday that an attacker was able to bypass security, access an undisclosed number of Treasury workstations, and steal \u201ccertain unclassified documents,\u201d in what it called a \u201cmajor cybersecurity incident\u201d.<\/p>\n

In a letter<\/a> to the US Senate\u2019s Committee on Banking, Housing and Urban Affairs, the Treasury Department said that it was notified by BeyondTrust on Dec. 8 that a threat actor had gained access to a key securing remote technical support access to Treasury workstations.<\/p>\n

\u201cBased on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT)<\/a> actor,\u201d the letter said, adding, \u201cin accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.\u201d<\/p>\n

\u201cThis fits a pattern of Chinese state sponsored hacking teams using the supply chain to go after the US government\u201d said David Shipley, CEO and cofounder of Beauceron Security, in an email. \u201cThis follows highly successful attacks against Microsoft\u2019s productivity cloud solution, and previous Russia-linked attacks on the US government using Microsoft 365 and before that, SolarWinds.\u201d\u00a0<\/p>\n

Treasury\u2019s letter noted that the affected service had been taken offline, and that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence community, and third-party forensic investigators are working to \u201cfully characterize the incident and determine its overall impact.\u201d<\/p>\n

\u201cWhat\u2019s intriguing is what they might\u2019ve been after,\u201d Shipley observed. \u201cWhat is this, just plain old spying? Or were they trying to lay the groundwork to maintain persistence and disrupt US government operations? I\u2019d be less worried if it\u2019s just plain vanilla spying.\u201d\u00a0<\/p>\n

Treasury has promised more details in its 30 day supplemental report.<\/p>\n

The timeline<\/h2>\n

Investigations continue at the BeyondTrust end as well, as the company delves more deeply into the scope and impact of the compromise.<\/p>\n

The company said in its security advisory<\/a> that \u201cpotentially anomalous behavior\u201d was detected on Dec. 2, involving a single customer, which prompted an investigation. On Dec. 5, it confirmed the behavior, which affected what it described as\u00a0 a \u201climited\u201d number of Remote Support SaaS instances, and revoked the compromised key. The affected instances were suspended and quarantined for forensic analysis, and customers were notified and provided alternative Remote Support SaaS instances.<\/p>\n

During its investigation, the company said, it identified two vulnerabilities, one of critical severity and one designated medium, in its Remote Support and Privileged Remote Access products (both cloud and on prem). As of Dec. 16, cloud instances had been patched, and patches released for the self-hosted versions.<\/p>\n

BeyondTrust has also committed to regular updates as the investigation proceeds.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US Department of the Treasury revealed on Monday that an attacker was able to bypass security, access an undisclosed number of Treasury workstations, and steal \u201ccertain unclassified documents,\u201d in what it called a \u201cmajor cybersecurity incident\u201d. In a letter to the US Senate\u2019s Committee on Banking, Housing and Urban Affairs, the Treasury Department said […]<\/p>\n","protected":false},"author":0,"featured_media":1369,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1390","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1390"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1390"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1390\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1369"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}