US Treasury hacked by state-sponsored Chinese APT group

Blogs Real Time Facts
Posted 2024-12-31 23:01:52
0
2K

The U.S. Treasury Department Dec. 30 informed Congress that it sustained a “major cybersecurity incident” at the hands of a state-sponsored Chinese group in which a BeyondTrust API key was hacked, resulting in the compromise of Treasury workstations and the theft of unclassified documents.

 

In a letter to the Senate Committee on Banking, Housing and Urban Affairs, Aditi Hardikar, assistant secretary for management at Treasury, said that on Dec. 8, BeyondTrust notified Treasury that the threat actor used the stolen key to access the department’s systems.

Hardikar told the Senators that the compromised BeyondTrust cloud service was taken offline and that there was no evidence indicating that the threat actor has continued its access to Treasury information.

The Treasury Department will offer more information on this incident in its 30-day follow-up report later in January.

This incident joins a growing list of attacks on security firms, including Okta, LastPass, SolarWinds, and Snowflake, said former NSA expert Evan Dornbush.

“In today's interconnected landscape, the perimeter has all but vanished,” said Dornbush. “A single zero-day exploit against a vendor can cripple your own operations. The BeyondTrust response, while remarkably swift, underscores this harsh reality.”

The latest release by Treasury makes a little more sense of CISA’s Dec. 19 announcement of adding the BeyondTrust vulnerability CVE-2024-12356 to the KEV list, said John Bambenek, president at Bambenek Consulting.

Bambenek said at the time, CISA announced a limited number of customer’s Remote Support SaaS instances were targeted: it now appears that the U.S. Treasury was one of those customers.

While it’s a stunning year-end announcement from Treasury, we still don’t know how many workstations were compromised, which documents were stolen, and which advanced persistent threat (APT) conducted the campaign.

Given the recent stories about Chinese threat actor Salt Typhoon attacking up to nine U.S. telecoms, some speculated that they were the culprits.

But as of the afternoon of Dec. 31, no further details had emerged.    

“At this point, I don’t see anything to indicate clearly that it’s Salt Typhoon beyond it being the Chinese APT on people’s mind because of the recent telecom breaches,” said Bambenek. “However, that doesn’t mean it couldn’t be either.”

Dornbush gave some further context to the BeyondTrust hack, pointing out that they moved quickly. The hack was initially discovered on Dec. 2, with the root cause identified by Dec. 5. Clients were notified on Dec. 8, and BeyondTrust released on patch Dec. 16.

“Sixteen days from discovery to mitigation, patching, disclosure, and attribution is impressive,” said Dornbush. “However, this speed doesn't negate the fundamental problem: their zero-days are your problem. While BeyondTrust acted quickly, the attackers likely exfiltrated data long before the patch was available. In smash-and-grab operations like this, data theft doesn't take 16 days.”

 

 

***

 

 

Wow
1
Please log in to like, share and comment!
Search
Categories
Read More
News & Politics
Chief Prosecutor Khan first on US ICC sanctions blacklist
The move bars Karim Khan from the U.S. and freezes any U.S. assets he may have   Karim...
By NavyVetUnited 2025-02-09 09:40:16 0 3K
News & Politics
Mexico concerned Trump may order military strike on cartels
As tensions continue to rise between the United States and Mexico over drug trafficking and...
By Potus 45-47th - President Donald J. TRUMP 2024-12-29 09:43:27 0 3K
Real Time Facts
From 'Angel of Death' to Hitler's deputy: Argentina declassifies Nazi war criminals' files
Over 1,850 reports and 1,300 orders detailing the presence of notorious Nazi criminals who fled...
By NavyVetUnited 2025-04-30 14:56:52 0 2K
News & Politics
The Western Media Hybrid 'Maskirovka' Amid Ukraine Counter-Offensive, Russian SMO
The most notable piece in the Western media this week discussing fatigue from the Ukrainian...
By NavyVetUnited 2023-10-31 19:34:58 0 14K
Music
1,000 Israeli musicians gather in mass prayer
A thousand musicians and singers gathered at the Caesarea Amphitheater for a particularly...
By NavyVetUnited 2023-12-28 12:58:31 0 12K
© 2025 X-Pulse, the HO1 Think Tank English
English Arabic French Spanish Portuguese Deutsch Turkish Dutch Italiano Russian Romaian Portuguese (Brazil) Greek
About Terms Privacy Contact Us Directory