The US Treasury Department suffered a “major” security incident when a state-sponsored hacker from China broke into third-party remote management software it uses. First reported by the new York Times,
In a letter to MPs The VergeThe Treasury Department said BeyondTrust, a maker of remote management software, notified the agency of the breach on Dec. 8.
The threat actor stole keys used by BeyondTrust to secure “a cloud-based service used remotely to provide technical support for Treasury Departmental Office (DO) end users.” With the key, they override security to remotely access those users' workspaces and “certain unclassified documents” they created.
The Treasury Department said it worked with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI after the attack, which has been attributed to Chinese state-sponsored Advanced Persistent Threat (APT) hackers. “The compromised BeyondTrust service has been taken offline and there is no evidence that the threat actor has continued access to Treasury systems or information,” U.S. Treasury Department spokesman Michael Gwynn said in a statement. The Verge,
The attack appears to be linked to a security incident BeyondTrust reveals Earlier this month, the impact Customers using its remote support softwareAt the time, BeyondTrust attributed the attack to a compromised API key for its remote support software, and said it “immediately revoked the API keys, notified known affected customers, and suspended those instances the same day.” ” The Verge We contacted BeyondTrust with a request for comment but did not immediately receive a response.
“Treasury takes all threats against our systems and the data it holds very seriously,” Gwynn said. “Over the past four years, Treasury has significantly strengthened its cybersecurity, and we will continue to work with private and public sector partners to protect against actors who threaten our financial system.”