The US Treasury Department experienced a significant security breach when a China state-sponsored hacker infiltrated the third-party remote management software it utilizes, as previously reported by The New York Times.
In correspondence to lawmakers as seen by The Verge, the Treasury Department disclosed that BeyondTrust, the provider of its remote management software, informed the agency of a breach on December 8th.
The perpetrator stole a key used by BeyondTrust to secure a cloud-based service for providing technical support to users within the Treasury Departmental Offices (DO). With this key, they were able to bypass security measures and gain remote access to the users’ workstations, including accessing “some unclassified documents.”
Following the breach, the Treasury Department collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The attack was attributed to a China state-sponsored Advanced Persistent Threat (APT) hacker. According to a statement from US Treasury Department spokesperson Michael Gwin to The Verge, the compromised BeyondTrust service has been shut down, and there is no evidence of ongoing access to Treasury systems or information by the threat actor.
The incident appears to be related to a security breach disclosed by BeyondTrust impacting customers who use its remote support software. BeyondTrust reported a compromised API key for its remote support software and took immediate action to address the situation. The Verge sought comment from BeyondTrust but has not received a response yet.
Gwin stated, “Treasury takes all threats against our systems and data very seriously. Over the past four years, Treasury has significantly enhanced its cybersecurity defenses and will continue to collaborate with partners in both the private and public sectors to safeguard our financial system from threat actors.”
