The United States Department of the Treasury admitted to lawmakers earlier this week that it recently came under a cyberattack, believed to be orchestrated by Chinese state-sponsored hackers. The event was described as a “major incident” in a letter to Senate Banking Committee leadership.
“Based on available indicators, the incident has been attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) actor,” Aditi Hardikar, assistant secretary for management at the U.S. Treasury, wrote in the letter, which was written in accordance with the requirements of the Federal Information Security Modernization Act of 2014.
According to the Treasury Department, the compromised service has been taken offline. There is no evidence that the threat actor continues to have access to the department’s information.
China’s Foreign Ministry has denied the accusations.
“We have repeatedly stated our position on such groundless accusations lacking evidence. China has always opposed all forms of cyberattacks, and we are even more opposed to spreading false information about China for political purposes,” said Mao Ning, a spokesperson for the foreign ministry, during a press briefing.
Third-Party Software Used to Gain Access
According to the letter, the threat actors had gained access via a third-party cloud-based service that Treasury employs for its technical support.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” Hardikar explained.
Service provide BeyondTrust had acknowledged that a security incident took place on December 2 involving its Remote Support SaaS (software as a service) product and notified a “limited number” of customers involved after the company confirmed on December 5 that there had been “anomalous behavior” in the product, CNN reported. BeyondTrust had suspended and quarantined the impacted instances of the product and hired an outside cybersecurity team to investigate.
“A thorough investigation into the cause and impact of the compromise is underway with a recognized third-party cybersecurity and forensics firm. Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted,” the company explained in a public notice. “We will continue to share any relevant confirmed information we discover during our investigation, by way of updates on this blog, to help impacted organizations in threat hunting.”
Beijing Denial and Reaction Aren’t a Surprise
Cybersecurity experts warned that Beijing’s routine denial of responsibility for “cyber-espionage” incidents raises diplomatic challenges with the U.S. in addressing such breaches effectively since there’s a lack of transparency and accountability/coordination.
“BeyondTrust’s website boasts about several large high-profile customers and partnerships yet it is not currently believed that the attackers went after any of them despite the potential for access,” Evan Dornbush, former NSA cybersecurity expert, told ClearanceJobs. “Doing so could have been far more profitable than going after government workstations, so this reduces the pool of likely attackers.”
China has been quite active in its hacking activities, including the recent targeting of U.S. telecoms. However, the Treasury didn’t single out Beijing directly.
“Solid attribution is always difficult, and frankly rather ‘loose’ – it’s basically normally a ‘best guess,'” added Lawrence Pingree, vice president at cybersecurity provider Dispersive.
“Indicators, languages used by attackers during code compilation of malware, source IP addresses, etc. all are used to triangulate a threat actor,” Pingree told ClearanceJobs, but acknowledged it is not an exact science due to the nature of the many exploits that are both known and unknown.
“While I haven’t seen an official statement from Treasury beyond their notification to the Senate Committee, there is plenty of reporting from ‘Treasury sources’ that directly assert the actors originate with Chinese interests,” said Dornbush. “Presumably, there is enough supporting technical analysis to be that confident, to the key question is what is the government response to the perpetual usage of zero-day exploits by sophisticated actors?”
The SaaS Threat Vector
Regardless of where the attack originated, it is just the latest that occurred due to third-party software. As previously reported, there have been warnings that technology vendors have been allowed to create defective, insecure, and even flawed software.
As a result, it is all too common for hackers to find exploits.
“Allegedly, the hackers gained access to a key used by BeyondTrust to secure a cloud-based service for providing technical support remotely,” Pingree explained. “Typical SaaS applications share ‘secrets,’ which are API keys – often a long string of characters called a hash, which are fixed sized digest of a value sourced from hardware, like a random number generator. SaaS applications use these unique values to authenticate and access data in adjacent applications – just like a password.”
However, such “secrets” are shared, often manually, by an administrator during the setup process, but can be insecurely stored or stored in unencrypted code or memory.
While speculating, Pingree added that it’s common that infostealer malware or Trojans were likely used to compromise the developer or administrator’s endpoint system.
“Often this is done through phishing,” he told ClearanceJobs. “But it could also be done via drive-by malware or advertising networks that often distribute malware.”
