Security

CSO

Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid

OFAC, Office of the Treasury Secretary feared hit in data-snarfing swoop


Chinese spies who compromised the US Treasury Department's workstations reportedly stole data belonging to a government office responsible for sanctions against organizations and individuals.

On Monday, the Treasury sent a letter to Congress disclosing the cyberattack. Days later, we learned Beijing's snoops specifically targeted the Office of Foreign Assets Control (OFAC), which administers economic and trade sanctions, as well as the Office of the Treasury Secretary, according to a Washington Post report.

The security breach indicates the measures China is taking to gather intelligence on America and Uncle Sam in general, and particularly those related to Chinese entities that may soon face sanctions, the WaPo noted, citing anonymous US officials.

The December 30 letter that the Treasury's Assistant Secretary for Management Aditi Hardikar sent to US lawmakers blamed the intrusion on an earlier BeyondTrust security incident in which miscreants snatched an API key for the software maker's Remote Support SaaS product. This allowed the key's thieves to remotely access some Treasury office workstations and "certain, unclassified documents" maintained by those users.

Instances of BeyondTrust services that were compromised by the snoops were taken offline and at this time, "there is no evidence indicating the threat actor has continued access to Treasury information," the letter continued.

Neither the US Treasury nor China's Ministry of Foreign Affairs responded to The Register's inquiries about the security breach.

A BeyondTrust spokesperson directed customers to a now-updated advisory about the snafu, and told The Register it took steps to shore up its security. "All cloud instances have been patched for this vulnerability," the biz noted. "We have also released a patch for self-hosted versions."

"BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then," the spokesperson told us. "No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts." 

The Treasury letter also attributes the security breach to a "China state-sponsored Advanced Persistent Threat (APT) actor," which is noteworthy because US officials don't often play the blame game with other governments' cyber-espionage crews this early in the investigation.

"It is unusual for an early notice, especially in case of such breaches, to be able to make such clear attributions," SafeBreach Chief Information Security Officer Avishai Avivi said in an email to The Register

"Looking through the technical details provided by BeyondTrust, we can see that the vulnerability was associated with four IP addresses," Avivi continued.

"These addresses belong to DigitalOcean, a New Jersey Cloud Service Provider (CSP). This information indicates to me that the malicious actors used this cloud provider as a jumping-off point to infiltrate the BeyondTrust service and exploit the trusted connection to the US Treasury. The clear attribution suggests that the investigation was able to link these four addresses to accounts originating in China."

This latest Chinese intrusion into US networks comes as government officials and law enforcement continue to investigate another Beijing-backed snooping effort that compromised at least nine American telecommunications companies, giving them the "capability to geolocate millions of individuals" and "record phone calls at will."

This attack, which has been attributed to Salt Typhoon, has been called the "worst telecom hack" in US history, and was among the escalating cyber incidents the Feds blamed on the Chinese government in 2024. ®

Send us news
3 Comments

Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases

Gee, wonder why Beijing is so keen on the – checks notes – Committee on Foreign Investment in the US

More telcos confirm China Salt Typhoon security breaches as White House weighs in

Intrusions allowed Beijing to 'geolocate millions of individuals, record phone calls at will'

China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says

We are only seeing 'the tip of the iceberg,' Easterly warns

FBI wipes Chinese PlugX malware from thousands of Windows PCs in America

Hey, Xi: Zài jiàn!

Akamai to quit its CDN in China, seemingly not due to trouble from Beijing

Security and cloud compute have so much more upside than the boring business of shifting bits

After China's Salt Typhoon, the reconstruction starts now

If 40 years of faulty building gets blown down, don’t rebuild with the rubble

Charter, Consolidated, Windstream reportedly join China's Salt Typhoon victim list

Slow drip of compromised telecom networks continues

FCC to telcos: By law you must secure your networks from foreign spies. Get on it

Plus: Uncle Sam is cross with this one Chinese biz over Salt Typhoon mega-snooping

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

China's cyber intrusions took a sinister turn in 2024

From targeted espionage to pre-positioning - not that they are mutually exclusive

Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

3 CVEs added to CISA's catalog