Arthur T Knackerbracket has processed the following story:
According to a letter from the U.S. Treasury Department to lawmakers revealed on Monday, Dec. 30, Chinese-backed hackers successfully infiltrated the department’s systems and stole government documents this month.
The breach, first reported by Reuters, highlights yet another instance of state-sponsored cyber espionage targeting U.S. government employees — just moments after AT&T and Verizon finally dealt with Salt Typhoon. In a statement to Senator Sherrod Brown, chair of the Committee on Banking, Housing, and Urban Affairs, the Treasury confirmed that the attack occurred in December.
In the letter, the department states that the breach was flagged by a third-party cybersecurity vendor, BeyondTrust, which discovered that the attackers had compromised a key used to secure a cloud-based service. That service was integral to providing remote technical support to end users within the department's offices.
"With access to the stolen key, the threat actor was able [to] override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users," the letter reads.
The Treasury revealed it was alerted to the breach on Dec. 8 and is collaborating with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the scope of the incident. Reuters reports that the FBI has yet to respond to requests for comment, while CISA redirected inquiries back to the Treasury.
« Indiana Bakery Uses C64 as POS | Finnish Investigators Discover Anchor Drag Marks of "Almost a Hundred Kilometers" in Cable Case »
Related Stories
With the help of tipsters, the cybersecurity agency was able to 'connect the dots' to crack what has been called one of the worst telecom hacks in US history:
Chinese state-backed cyber espionage group Salt Typhoon, which has been in the news for its breach of U.S. telecom firms, was first discovered on the federal network using a different name, according to Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA).
"We saw it as a separate campaign called another goofy cyber name. And we were able to—based on the visibility that we had within the federal networks—to be able to connect some dots," she said during a discussion at the Foundation for Defense of Democracies on Jan. 15.
[...] The earlier identification under a different name enabled officials to connect the dots with the help of tipsters from the private sector, which Easterly said ultimately "led to kind of cracking open the larger Salt Typhoon piece."
[...] On Jan. 17, the U.S. Treasury Department announced it was sanctioning Chinese cybersecurity company Sichuan Juxinhe Network Technology Co. for "direct involvement in the Salt Typhoon cyber group."
"Chinese state-backed cyber actors continue to present some of the greatest and most persistent threats to U.S. national security," the Treasury Department said.
The Treasury Department also sanctioned Shanghai-based hacker Yin Kecheng, who was allegedly behind a major breach of the department's network in early December. The cyber actor is affiliated with China's Ministry of State Security, the department said.
Previously:
- U.S. Treasury Confirms It Was Breached by China-Backed Hackers
- A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says
- Wyden Law Would Give FCC Greater Power Over Telecom's Lax Cybersecurity In Wake Of Ugly Salt Typhoon
- Salt Typhoon's Cyberstorm Reaches Beyond US Telcos
- Senators Ask Cyber Review Board to Conduct Investigation on Chinese Hack Group
Companies are advised to constantly update their apps and software, and patch known network vulnerabilities to prevent such attacks:
A ransomware group called "Ghost" is exploiting the network vulnerabilities of various organizations to gain access to their systems, according to a joint advisory issued by multiple U.S. federal agencies.
"Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware," the Cybersecurity and Infrastructure Security Agency (CISA) said in the Feb. 19 joint advisory. "Ghost actors, located in China, conduct these widespread attacks for financial gain."
The attacks have targeted schools and universities, government networks, critical infrastructure, technology and manufacturing companies, health care, and several small and mid-sized businesses.
[...] The criminals use publicly available code to exploit "common vulnerabilities and exposures" of their targets to secure access to servers. They leverage vulnerabilities in servers running Adobe ColdFusion, Microsoft Exchange, and Microsoft SharePoint.
Also at BleepingComputer.
Related:
- Chinese Salt Typhoon Hackers 1st Spotted on Federal Networks Under Another Name
- U.S. Treasury Confirms It Was Breached by China-Backed Hackers
- A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says
- U.S. Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack
- T-Mobile Hacked in Massive Chinese Breach of Telecom Networks, WSJ Reports
(Score: 5, Insightful) by Snospar on Saturday January 04, @05:52PM
That summary is a bit misleading as the breach wasn't just "flagged" by BeyondTrust, they were the vendor who was compromised. It was their compromised key that was used to access the government systems. The key was used to secure a cloud-based service that could remotely access Treasury workstations... so quite an important thing to keep secure then!
I'm sure any fallout on the vendor will be minimal and they can always "go bankrupt" and pop up next week as "BeyondBelief" security.
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.