2024 United States Department of the Treasury hack

Last updated

The Treasury Building U.S. Treasury Department Building, Washington, D.C LCCN2011635063.jpg
The Treasury Building

On December 30, 2024, the United States Department of the Treasury disclosed that it had been hacked by a state-sponsored actor of the People's Republic of China who gained access to unclassified documents.

Contents

Background

The United States government has accused the People's Republic of China (PRC) and its state-sponsored advanced persistent threats of hacking into its services. [1] In July 2024, PRC hackers compromised at least nine telecommunications companies. As part of its breach, Salt Typhoon obtained a nearly complete list of phone numbers wiretapped by the United States Department of Justice. Chinese hackers had previously compromised email accounts used by officials in the United States Department of Commerce and State, including secretary of commerce Gina Raimondo. [2]

On December 2nd, 2024, BeyondTrust, a privileged management company used by the United States Department of the Treasury, suffered a cyberattack that affected a limited number of customers using the company's remote support software. [3] Upon investigation it was discovered that the attackers gained access to a remote support SaaS API key, allowing them to make password resets against local application accounts. [4] The company noted that two separate command injection vulnerabilities were also discovered during investigation, but were not being actively exploited. [5] [6] [7] BeyondTrust is a FedRAMP vendor; if the department's implementation of its software was FedRAMP-certified, the hack would be the first breach of its kind, according to former National Security Advisor hacker Jake Williams. [8]

Discovery

On December 2, suspicious activity on servers operated by the Department of the Treasury was detected by BeyondTrust. The company identified that the department had been hacked three days later. [9] On December 8, BeyondTrust informed the department that a hacker had obtained an API key [10] for a cloud-based service used for remote technical support. [11] After the breach was discovered BeyondTrust revoked the stolen API key and shut down all compromised instances of the tool [12] . The company stated that the hacker was able to access unclassified documents, remotely access workstations, and override server security. [13] Several workstations were accessed. [14] The department contacted the Cybersecurity and Infrastructure Security Agency [15] and the Federal Bureau of Investigation, among other intelligence agencies and third-party investigators. [2] The service was taken offline and the hacker's access to department information is believed to have been removed. [16]

On December 30, assistant secretary of the Treasury for management Aditi Hardikar [17] informed Senate Committee on Banking, Housing, and Urban Affairs chairman Sherrod Brown and ranking member Tim Scott of the breach. [18] Agence France-Presse first reported on the letter. [15] The intrusion was considered a "major cybersecurity incident" as it was attributed to an advanced persistent threat; [2] other agencies determined that the hack originated from China. [19] The New York Times reported that the hack was committed by a Chinese intelligence agency as part of an espionage operation, in juxtaposition to efforts to disrupt infrastructure. [2] The department is required to prepare a supplemental report within thirty days and provide it to lawmakers. [9] [14]

The Washington Post reported in January 2025 that the hack involved the Office of Foreign Assets Control, the Office of Financial Research, and the Office of the Treasury Secretary. [20]

Reactions

Domestic

Senate Committee on Banking, Housing, and Urban Affairs ranking member Tim Scott requested a briefing on the hack. According to a spokesman, he is "closely watching the situation". [18] The committee intends to hold a classified briefing about the hack in January 2025. [14]

International

The embassy of China, Washington, D.C. denied the allegations. [21] Spokesman Liu Pengyu stated that the embassy hoped "relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents" rather than basing assessments on "unfounded speculation and accusations". [9]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Office of Foreign Assets Control</span> Agency of the United States Department of the Treasury

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the United States Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives. Under presidential national emergency powers, OFAC carries out its activities against foreign governments, organizations, and individuals deemed a threat to U.S. national security.

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries. The company was publicly traded from May 2009 until the end of 2015, and again from October 2018. It has also acquired a number of other companies, some of which it still operates under their original names, including Pingdom, Papertrail, and Loggly. It had about 300,000 customers as of December 2020, including nearly all Fortune 500 companies and numerous agencies of the US federal government.

BeyondTrust (formerly Symark) is an American company that develops, markets, and supports a family of privileged identity management / access management (PIM/PAM), privileged remote access, and vulnerability management products for UNIX, Linux, Windows and macOS operating systems.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

In 2013 and 2014, the American web services company Yahoo was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.

Between May and July 2017, American credit bureau Equifax was breached. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. Equifax discovered the breach end of July, but did not disclose it to the public until September 2017. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest, is an international extortion-focused hacker group known for its various cyberattacks against companies and government agencies. The group was active in several countries, and has had its members arrested in Brazil and the UK in 2022. According to City of London Police at least two of the members were teenagers.

LightBasin, also called UNC1945 by Mandiant, is a suspected Chinese cyber espionage group that has been described as an advanced persistent threat that has been linked to multiple cyberattacks on telecommunications companies. As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been linked to attacks targeting Linux and Solaris systems.

<span class="mw-page-title-main">Hubei State Security Department</span> Regional branch of Chinas Ministry of State Security

The Hubei State Security Department is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

Salt Typhoon is an advanced persistent threat actor operated by the Chinese government which has conducted high profile cyberespionage campaigns with an emphasis on counterintelligence targets in the United States. The group has also infiltrated targets in dozens of other countries on nearly every continent.

References

  1. Sabin, Sam (December 30, 2024). "Treasury Department responds to "major" breach linked to China". Axios . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  2. 1 2 3 4 Swanson, Ana (December 30, 2024). "China Hacked Treasury Dept. in 'Major Incident,' U.S. Says". The New York Times . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  3. Kerr, Dara (December 30, 2024). "Chinese hackers breach US treasury network, gain access to some files". The Guardian . Retrieved December 30, 2024.
  4. "BeyondTrust says hackers breached Remote Support SaaS instances". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  5. "BT24-11". BeyondTrust. Archived from the original on December 24, 2024. Retrieved January 3, 2025.
  6. "BT24-10". BeyondTrust. Archived from the original on December 26, 2024. Retrieved January 3, 2025.
  7. "BeyondTrust says hackers breached Remote Support SaaS instances". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  8. Hay Newman, Lily (December 30, 2024). "US Treasury Department Admits It Got Hacked by China". Wired . Archived from the original on December 31, 2024. Retrieved December 30, 2024.
  9. 1 2 3 Yousif, Nadine; Tidy, Joe (December 30, 2024). "US Treasury says it was hacked by China in 'major incident'". BBC News . Retrieved December 30, 2024.
  10. Roth, Emma (December 30, 2024). "The US Treasury Department was hacked". The Verge . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  11. Tarabay, Jamie; Torres, Craig (December 30, 2024). "US Treasury Says It Was Breached by Chinese-Backed Hacker" . Bloomberg News . Retrieved December 30, 2024.
  12. "US Treasury Department breached through remote support platform". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  13. Haslett, Cheyenne; Barr, Luke (December 30, 2024). "Treasury Department hit in cyberbreach by China-sponsored actor, officials say". ABC News. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  14. 1 2 3 Egan, Matt (December 30, 2024). "'Major incident': China-backed hackers breached US Treasury workstations". CNN. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  15. 1 2 Satter, Raphael; Vicens, A.J. (December 30, 2024). "US Treasury says Chinese hackers stole documents in 'major incident'". Reuters . Retrieved December 30, 2024.
  16. Tucker, Eric (December 30, 2024). "Treasury says Chinese hackers remotely accessed workstations, documents in 'major' cyber incident". Associated Press. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  17. "Chinese hackers access U.S. Treasury Department workstations, obtaining unclassified documents". CBS News. December 30, 2024. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  18. 1 2 Verma, Pranshu; Nakashima, Ellen (December 30, 2024). "U.S. Treasury says it was hacked by China-backed actor". The Washington Post . Retrieved December 30, 2024.
  19. Rosenblatt, Kalhan; Cheung, Brian (December 30, 2024). "U.S. Treasury says its computers were hacked by a Chinese 'threat actor' in a 'major incident'". NBC News. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  20. Nakashima, Ellen; Stein, Josh (January 1, 2025). "Treasury's sanctions office hacked by Chinese government, officials say". The Washington Post . Archived from the original on January 2, 2025. Retrieved January 1, 2025.
  21. Hart, Connor; Volz, Dustin (December 30, 2024). "Treasury Department Says Systems Hacked by China-Backed Actor" . The Wall Street Journal . Archived from the original on December 31, 2024. Retrieved December 30, 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.