U.S. Treasury office that administers economic sanctions has admitted that they were pwned by a “Chinese threat actor”:
Chinese government hackers breached the U.S. Treasury office that administers economic sanctions, the Washington Post reported on Wednesday, identifying targets of a cyberattack Treasury disclosed earlier this week.
Citing unnamed U.S. officials, the Washington Post said hackers compromised the Office of Foreign Assets Control and the Office of Financial Research and also targeted the office of U.S. Treasury Secretary Janet Yellen.
The department earlier this week disclosed in a letter to lawmakers that hackers stole unclassified documents in a “major incident.” It did not specify which users or departments were affected.
Asked about the paper’s report, Liu Pengyu, spokesperson for the Chinese Embassy in Washington, said the “irrational” U.S. claim was “without any factual basis” and represented “smear attacks” against Beijing.
Yeah. Right. I don’t believe anything that the Chinese have to say at this point. More on that later. Avishai Aviva, CISO, SafeBreach had this to say:
“In this latest breach of the US Treasury workstation, neither the government nor BeyondTrust, the vendor involved, provided sufficient information to understand what happened fully. This is normal for such events. Let’s peel through the layers of obscurity and get a clearer picture of what happened in this breach.
First, looking at the letter from the Treasury to lawmakers, we find this:” “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor could override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.” With all my years of experience, I was scratching my head at this narrative. When reading the BeyondTrust statement on their website – it became more apparent.
BeyondTrust, unironically, provides a secure method for Information Technology (IT) support personnel to provide remote support to end users. This method involves establishing a trusted connection between the support person and the end user. This trusted connection punches through traditional perimeter security controls and gives the support person full access and control over the end-user workstation.
Once inside, the support person can send documents back over that secure channel or masquerade as the end-user and send the same documents directly.
The security controls protecting the US Treasury network have no way of knowing something nefarious is happening, as the trusted connection is, well, trusted.
From the BeyondTrust website, the malicious actors used a critical vulnerability to gain unauthenticated (read as untrusted) access to the same support functionality that the authorized IT support personnel.
This incident boils down to what we refer to as a supply-chain vulnerability leading to a data breach. An Information and Communication Technology (ICT) vendor in the US Treasury supply chain had a vulnerability that was then used to extract data out of the US Treasury end-user workstations and network.
Now that we understand what happened, albeit at a high level, let’s focus on the following interesting detail – Attribution. The letter from the US Treasury indicates that this breach originated from China. It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions. Looking through the technical details provided by BeyondTrust, we can see that the vulnerability was associated with four IP addresses. These addresses belong to DigitalOcean, a New Jersey Cloud Service Provider (CSP). This information indicates to me that the malicious actors used this cloud provider as a jumping-off point to infiltrate the BeyondTrust service and exploit the trusted connection to the US Treasury. The clear attribution suggests that the investigation was able to link these four addresses to accounts originating in China.
Last but not least, was there something that the US Treasury could have done to prevent this? The sad answer appears to be yes. Again, referring to the scant technical information BeyondTrust provided, the system administrators at the US Treasury, or the vendor likely to provide support services, failed to configure trusted locations from which the support agents could connect. We refer to this as IP Whitelisting. This failure is a critical risk with any such service. The same issue led to notable breaches in 2023 and 2024. This oversight is why we urge all service vendors, especially trusted ICT vendors, to follow the CISA Secure-by-Default guidance.”
The fact is that there appears to be enough evidence to tie China to this. Thus besides taking action to prevent these incidents from happening as this appears to be the latest attack that has been tied to China. Thus there needs to be action to make such activities something that China is less likely to carry out. And there needs to be action to make it way harder to get into supposedly secure networks.
UPDATE: Will Lin, CEO, AKA Identity adds this:
“This incident highlights two urgent, unsolved security issues today: third party vendor risk management and a lack of real-time visibility into identities. Because technology tools are built to trust valid credentials, the average identity-based breach takes over 200 days to detect.
Kudos to the US Treasury and BeyondTrust for detecting this incident and wishing the best in determining the investigation’s blast radius.”
Like this:
Like Loading...
Related
This entry was posted on January 2, 2025 at 12:22 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
China Tied To Hack Of US Treasury Department
U.S. Treasury office that administers economic sanctions has admitted that they were pwned by a “Chinese threat actor”:
Chinese government hackers breached the U.S. Treasury office that administers economic sanctions, the Washington Post reported on Wednesday, identifying targets of a cyberattack Treasury disclosed earlier this week.
Citing unnamed U.S. officials, the Washington Post said hackers compromised the Office of Foreign Assets Control and the Office of Financial Research and also targeted the office of U.S. Treasury Secretary Janet Yellen.
The department earlier this week disclosed in a letter to lawmakers that hackers stole unclassified documents in a “major incident.” It did not specify which users or departments were affected.
Asked about the paper’s report, Liu Pengyu, spokesperson for the Chinese Embassy in Washington, said the “irrational” U.S. claim was “without any factual basis” and represented “smear attacks” against Beijing.
Yeah. Right. I don’t believe anything that the Chinese have to say at this point. More on that later. Avishai Aviva, CISO, SafeBreach had this to say:
“In this latest breach of the US Treasury workstation, neither the government nor BeyondTrust, the vendor involved, provided sufficient information to understand what happened fully. This is normal for such events. Let’s peel through the layers of obscurity and get a clearer picture of what happened in this breach.
First, looking at the letter from the Treasury to lawmakers, we find this:” “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor could override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.” With all my years of experience, I was scratching my head at this narrative. When reading the BeyondTrust statement on their website – it became more apparent.
BeyondTrust, unironically, provides a secure method for Information Technology (IT) support personnel to provide remote support to end users. This method involves establishing a trusted connection between the support person and the end user. This trusted connection punches through traditional perimeter security controls and gives the support person full access and control over the end-user workstation.
Once inside, the support person can send documents back over that secure channel or masquerade as the end-user and send the same documents directly.
The security controls protecting the US Treasury network have no way of knowing something nefarious is happening, as the trusted connection is, well, trusted.
From the BeyondTrust website, the malicious actors used a critical vulnerability to gain unauthenticated (read as untrusted) access to the same support functionality that the authorized IT support personnel.
This incident boils down to what we refer to as a supply-chain vulnerability leading to a data breach. An Information and Communication Technology (ICT) vendor in the US Treasury supply chain had a vulnerability that was then used to extract data out of the US Treasury end-user workstations and network.
Now that we understand what happened, albeit at a high level, let’s focus on the following interesting detail – Attribution. The letter from the US Treasury indicates that this breach originated from China. It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions. Looking through the technical details provided by BeyondTrust, we can see that the vulnerability was associated with four IP addresses. These addresses belong to DigitalOcean, a New Jersey Cloud Service Provider (CSP). This information indicates to me that the malicious actors used this cloud provider as a jumping-off point to infiltrate the BeyondTrust service and exploit the trusted connection to the US Treasury. The clear attribution suggests that the investigation was able to link these four addresses to accounts originating in China.
Last but not least, was there something that the US Treasury could have done to prevent this? The sad answer appears to be yes. Again, referring to the scant technical information BeyondTrust provided, the system administrators at the US Treasury, or the vendor likely to provide support services, failed to configure trusted locations from which the support agents could connect. We refer to this as IP Whitelisting. This failure is a critical risk with any such service. The same issue led to notable breaches in 2023 and 2024. This oversight is why we urge all service vendors, especially trusted ICT vendors, to follow the CISA Secure-by-Default guidance.”
The fact is that there appears to be enough evidence to tie China to this. Thus besides taking action to prevent these incidents from happening as this appears to be the latest attack that has been tied to China. Thus there needs to be action to make such activities something that China is less likely to carry out. And there needs to be action to make it way harder to get into supposedly secure networks.
UPDATE: Will Lin, CEO, AKA Identity adds this:
“This incident highlights two urgent, unsolved security issues today: third party vendor risk management and a lack of real-time visibility into identities. Because technology tools are built to trust valid credentials, the average identity-based breach takes over 200 days to detect.
Kudos to the US Treasury and BeyondTrust for detecting this incident and wishing the best in determining the investigation’s blast radius.”
Share this:
Like this:
Related
This entry was posted on January 2, 2025 at 12:22 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.