2024 United States Department of the Treasury hack

Last updated

The Treasury Building U.S. Treasury Department Building, Washington, D.C LCCN2011635063.jpg
The Treasury Building

On December 30, 2024, the United States Department of the Treasury disclosed that it had been hacked by a state-sponsored actor of the People's Republic of China who gained access to unclassified documents.

Contents

Background

The United States government has accused the People's Republic of China (PRC) and its state-sponsored advanced persistent threats of hacking into its services. [1] In July 2024, PRC hackers compromised at least nine telecommunications companies. As part of its breach, Salt Typhoon obtained a nearly complete list of phone numbers wiretapped by the United States Department of Justice. Chinese hackers had previously compromised email accounts used by officials in the United States Department of Commerce and State, including secretary of commerce Gina Raimondo. [2]

On December 2nd, 2024, BeyondTrust, a privileged management company used by the United States Department of the Treasury, suffered a cyberattack that affected a limited number of customers using the company's remote support software. [3] Upon investigation it was discovered that the attackers gained access to a remote support SaaS API key, allowing them to make password resets against local application accounts. [4] The company noted that two separate command injection vulnerabilities were also discovered during investigation, but were not being actively exploited. [5] [6] [7] BeyondTrust is a FedRAMP vendor; if the department's implementation of its software was FedRAMP-certified, the hack would be the first breach of its kind, according to former National Security Agency hacker Jake Williams. [8]

Discovery

On December 2, suspicious activity on servers operated by the Department of the Treasury was detected by BeyondTrust. The company identified that the department had been hacked three days later. [9] On December 8, BeyondTrust informed the department that a hacker had obtained an API key [10] for a cloud-based service used for remote technical support. [11] After the breach was discovered BeyondTrust revoked the stolen API key and shut down all compromised instances of the tool. [12] The company stated that the hacker was able to access unclassified documents, remotely access workstations, and override server security. [13] Several workstations were accessed. [14] The department contacted the Cybersecurity and Infrastructure Security Agency [15] and the Federal Bureau of Investigation, among other intelligence agencies and third-party investigators. [2] The service was taken offline and the hacker's access to department information is believed to have been removed. [16]

On December 30, assistant secretary of the Treasury for management Aditi Hardikar [17] informed Senate Committee on Banking, Housing, and Urban Affairs chairman Sherrod Brown and ranking member Tim Scott of the breach. [18] Agence France-Presse first reported on the letter. [15] The intrusion was considered a "major cybersecurity incident" as it was attributed to an advanced persistent threat; [2] other agencies determined that the hack originated from China. [19] The New York Times reported that the hack was committed by a Chinese intelligence agency as part of an espionage operation, in juxtaposition to efforts to disrupt infrastructure. [2] The department is required to prepare a supplemental report within thirty days and provide it to lawmakers. [9] [14]

The Washington Post reported in January 2025 that the hack involved the Office of Foreign Assets Control, the Office of Financial Research, and the Office of the Treasury Secretary. [20]

Reactions

Domestic

Senate Committee on Banking, Housing, and Urban Affairs ranking member Tim Scott requested a briefing on the hack. According to a spokesman, he is "closely watching the situation". [18] The committee intends to hold a classified briefing about the hack in January 2025. [14]

International

The embassy of China, Washington, D.C. denied the allegations. [21] Spokesman Liu Pengyu stated that the embassy hoped "relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents" rather than basing assessments on "unfounded speculation and accusations". [9]

References

  1. Sabin, Sam (December 30, 2024). "Treasury Department responds to "major" breach linked to China". Axios . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  2. 1 2 3 4 Swanson, Ana (December 30, 2024). "China Hacked Treasury Dept. in 'Major Incident,' U.S. Says". The New York Times . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  3. Kerr, Dara (December 30, 2024). "Chinese hackers breach US treasury network, gain access to some files". The Guardian . Retrieved December 30, 2024.
  4. "BeyondTrust says hackers breached Remote Support SaaS instances". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  5. "BT24-11". BeyondTrust. Archived from the original on December 24, 2024. Retrieved January 3, 2025.
  6. "BT24-10". BeyondTrust. Archived from the original on December 26, 2024. Retrieved January 3, 2025.
  7. "BeyondTrust says hackers breached Remote Support SaaS instances". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  8. Hay Newman, Lily (December 30, 2024). "US Treasury Department Admits It Got Hacked by China". Wired . Archived from the original on December 31, 2024. Retrieved December 30, 2024.
  9. 1 2 3 Yousif, Nadine; Tidy, Joe (December 30, 2024). "US Treasury says it was hacked by China in 'major incident'". BBC News . Retrieved December 30, 2024.
  10. Roth, Emma (December 30, 2024). "The US Treasury Department was hacked". The Verge . Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  11. Tarabay, Jamie; Torres, Craig (December 30, 2024). "US Treasury Says It Was Breached by Chinese-Backed Hacker" . Bloomberg News . Retrieved December 30, 2024.
  12. "US Treasury Department breached through remote support platform". BleepingComputer. Archived from the original on January 3, 2025. Retrieved January 3, 2025.
  13. Haslett, Cheyenne; Barr, Luke (December 30, 2024). "Treasury Department hit in cyberbreach by China-sponsored actor, officials say". ABC News. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  14. 1 2 3 Egan, Matt (December 30, 2024). "'Major incident': China-backed hackers breached US Treasury workstations". CNN. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  15. 1 2 Satter, Raphael; Vicens, A.J. (December 30, 2024). "US Treasury says Chinese hackers stole documents in 'major incident'". Reuters . Retrieved December 30, 2024.
  16. Tucker, Eric (December 30, 2024). "Treasury says Chinese hackers remotely accessed workstations, documents in 'major' cyber incident". Associated Press. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  17. "Chinese hackers access U.S. Treasury Department workstations, obtaining unclassified documents". CBS News. December 30, 2024. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  18. 1 2 Verma, Pranshu; Nakashima, Ellen (December 30, 2024). "U.S. Treasury says it was hacked by China-backed actor". The Washington Post . Retrieved December 30, 2024.
  19. Rosenblatt, Kalhan; Cheung, Brian (December 30, 2024). "U.S. Treasury says its computers were hacked by a Chinese 'threat actor' in a 'major incident'". NBC News. Archived from the original on December 30, 2024. Retrieved December 30, 2024.
  20. Nakashima, Ellen; Stein, Josh (January 1, 2025). "Treasury's sanctions office hacked by Chinese government, officials say". The Washington Post . Archived from the original on January 2, 2025. Retrieved January 1, 2025.
  21. Hart, Connor; Volz, Dustin (December 30, 2024). "Treasury Department Says Systems Hacked by China-Backed Actor" . The Wall Street Journal . Archived from the original on December 31, 2024. Retrieved December 30, 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.