A key used by third party service provider BeyondTrust to secure cloud-based remote support was stolen and used to access unclassified data, Treasury told lawmakers.
The US Department of the Treasury revealed on Monday that an attacker was able to bypass security, access an undisclosed number of Treasury workstations, and steal “certain unclassified documents,” in what it called a “major cybersecurity incident”.
In a letter to the US Senate’s Committee on Banking, Housing and Urban Affairs, the Treasury Department said that it was notified by BeyondTrust on Dec. 8 that a threat actor had gained access to a key securing remote technical support access to Treasury workstations.
“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter said, adding, “in accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”
“This fits a pattern of Chinese state sponsored hacking teams using the supply chain to go after the US government” said David Shipley, CEO and cofounder of Beauceron Security, in an email. “This follows highly successful attacks against Microsoft’s productivity cloud solution, and previous Russia-linked attacks on the US government using Microsoft 365 and before that, SolarWinds.”
Treasury’s letter noted that the affected service had been taken offline, and that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence community, and third-party forensic investigators are working to “fully characterize the incident and determine its overall impact.”
“What’s intriguing is what they might’ve been after,” Shipley observed. “What is this, just plain old spying? Or were they trying to lay the groundwork to maintain persistence and disrupt US government operations? I’d be less worried if it’s just plain vanilla spying.”
Treasury has promised more details in its 30 day supplemental report.
The timeline
Investigations continue at the BeyondTrust end as well, as the company delves more deeply into the scope and impact of the compromise.
The company said in its security advisory that “potentially anomalous behavior” was detected on Dec. 2, involving a single customer, which prompted an investigation. On Dec. 5, it confirmed the behavior, which affected what it described as a “limited” number of Remote Support SaaS instances, and revoked the compromised key. The affected instances were suspended and quarantined for forensic analysis, and customers were notified and provided alternative Remote Support SaaS instances.
During its investigation, the company said, it identified two vulnerabilities, one of critical severity and one designated medium, in its Remote Support and Privileged Remote Access products (both cloud and on prem). As of Dec. 16, cloud instances had been patched, and patches released for the self-hosted versions.
BeyondTrust has also committed to regular updates as the investigation proceeds.
