By Eric Vandenbroeck and co-workers

US Treasury Hacked by China

The US agency characterized the breach as a "major incident," and said it had been working with the FBI and other agencies to investigate the impact.

Along with the FBI, the department has been working with the Cybersecurity and Infrastructure Security Agency and third-party forensic investigators to determine the breach's overall impact.

Based on the evidence it has gathered so far, officials said the hack appears to have been carried out by "a China-based Advanced Persistent Threat (APT) actor".

As espionage agents, the hackers are believed to have been seeking information, rather than attempting to steal funds.

The Treasury Department labeled the breach a “major incident,” in line with department policy that, according to the letter, categorizes nation-state intrusions as “major.” Once the Treasury was alerted to the issue, it contacted the Cybersecurity and Infrastructure Security Agency (CISA), and it has taken the BeyondTrust service offline, according to a Treasury spokesperson. There is no evidence the hacker still has access to Treasury systems, the spokesperson said.

This is the latest high-profile and embarrassing US breach blamed on Chinese espionage hackers.

It follows another hack of telecom companies in December that potentially breached phone record data across large swathes of American society.

A Treasury spokesperson said in a statement that the compromised service has been taken offline and officials are working with law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).

“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the Treasury spokesperson said.

The breach comes in the wake of dramatic hacking initiatives that have been attributed to China. Earlier this year, a Chinese hacking group, nicknamed Salt Typhoon, penetrated more than a dozen U.S. telecommunications companies, allowing them to monitor phone conversations and text messages of hundreds of people, including President-elect Donald Trump and Vice President-elect JD Vance.

Treasury officials plan to hold a classified briefing about the breach next week with staffers from the House Financial Services Committee, a senior committee staffer told CNN. The exact timing of the briefing has not been scheduled yet.

According to the letter to Senate Banking Committee leadership, the third-party software service provider, BeyondTrust, said hackers gained access to a key used by the vendor to secure a cloud-based service that Treasury uses for technical support.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury [Departmental Office] user workstations, and access certain unclassified documents maintained by those users,” the Treasury letter said.

BeyondTrust said it identified a security incident that took place on December 2 involving its Remote Support product and notified the “limited number” of customers involved after the company confirmed on December 5 that it had confirmed “anomalous behavior” in the product.

“There is no evidence indicating the threat actor has continued access to Treasury systems or information,” the Treasury spokesperson said.

Treasury officials plan to hold a classified briefing about the breach next week with staffers from the House Financial Services Committee, a senior committee staffer told CNN. The exact timing of the briefing has not been scheduled yet.

It’s not clear exactly how many workstations were infiltrated. However, the Treasury spokesperson said in the statement that “several” Treasury user workstations were accessed.

Based on Treasury policy, intrusions attributed to advanced persistent threat actors are considered a “major cybersecurity incident.” Treasury officials are required to provide an update in a 30-day supplemental report.

It’s not clear if the Treasury has fully determined the extent of the damage caused by the breach.

The intrusion seems to be part of long-running Chinese government espionage efforts against the U.S. government — in this case, trying to discern what Treasury is up to, a U.S. official said, speaking on the condition of anonymity because the investigation is ongoing.

The department didn’t say whose workstations were among those breached, telling the senators only that they involved “end users.” In the letter, a Treasury official said the department was working with the FBI, the intelligence community, and third-party investigators to “fully characterize the incident and determine its overall impact.”

The Senate Banking Committee’s top Republican member, Tim Scott (South Carolina), has requested a briefing on the cyber breach and is “closely monitoring the situation,” a spokesperson for the senator said.

Last year, Chinese cyberspies hacked email accounts at the U.S. Commerce and State departments, including that of Commerce Secretary Gina Raimondo, along with a congressional staffer, a U.S. human rights advocate, and U.S. think tanks.

 

For updates click hompage here