The United States Treasury Department said it encountered a “major cybersecurity incident” that allowed suspected Chinese threat actors to remotely access some computers and declassified documents.
“On December 8, 2024, Treasury was notified by BeyondTrust, a third-party software service provider, that a threat actor had compromised a cloud-based service used to provide remote technical support for Treasury. The key used by the vendor has been accessed by end users of Departmental Offices (DO),” the department said in a letter informing the Senate Committee on Banking, Housing and Urban Affairs.
“With access to the stolen key, the threat actor was able to override the security of the service, gain remote access to some Treasury DO user workstations, and gain access to some unclassified documents held by those users. succeeded in doing.”
The federal agency said it was working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and that available evidence indicated it was an unnamed state-sponsored advanced persistent Threat (APT) works. Actor from China.
The Treasury Department added that it had taken the BeyondTrust service offline, saying there was no evidence that threat actors had access to the environment. It did not share any indication of the compromise that China was responsible for the hack, nor did it specify when and for how long the breach occurred.
China’s Foreign Ministry spokesman Mao Ning denied claims that the finance department was targeted. “On this kind of baseless and baseless accusations, we have made our position clear more than once. China opposes all kinds of hacking, and in particular, we oppose the spread of false information about China under the political agenda. oppose,” Ning said.
Earlier this month, BeyondTrust Disclosure that it was vulnerable to a digital intrusion that allowed bad actors to breach some of its remote support SaaS instances;
The company said an investigation into the incident found that attackers gained access to a remote support SaaS API key that allowed them to reset passwords for local application accounts. BeyondTrust has not yet disclosed how the key was obtained.
“BeyondTrust immediately revoked the API key, notified known affected customers, and suspended these incidents the same day while providing replacement Remote Support SaaS instances to those customers,” it said.
The investigation also revealed two security vulnerabilities in the Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS Score: 9.8 and CVE-2024-12686, CVSS Score: 6.6), which The former is included in CISA’s known exploitable vulnerabilities. (KEV) catalog, citing evidence of active exploitation in the forest.
The disclosure comes as several US telecommunications providers find themselves in the crosshairs of another Chinese state-sponsored threat actor. Salt Typhoon.
Update.
A new Washington Post report published on January 1, 2024, Disclosure In December, Chinese threat actors targeted the Treasury Department in a cyberattack that breached the Office of Foreign Assets Control (OFAC) as well as the Treasury Secretary’s office, citing unnamed U.S. officials.
“Targeting the Office of Foreign Assets Control (OFAC) as well as the Treasury Secretary’s office — a development not previously reported — gained intelligence on its most important rival in the global contest for power and influence. reflects Beijing’s determination to do so.” Officials were told.