Threat actors, pirate-style, are trying to bury the Treasury.
In a letter to lawmakers on Dec. 30, a US Treasury official said the department believes China-based state-sponsored threat actors remotely accessed workstations and unclassified documents from the institution. The reported way in—a compromised security key of a third-party tool—provides instructive security examples across industry, according to pros who spoke with IT Brew.
“If the US Treasury Department, via one of its third-party vendors, can’t shore up its own defenses, I think that just goes to highlight how challenging it is for organizations through the whole range of sizes, from SMEs through to global multinational corporations,” Ian Birdsey, partner and cyber and data protection disputes specialist at global law firm Clyde & Co, told IT Brew. “I think there is very much a lesson for everyone to take away here, that this is a case of when, not if.”
Third-party time. The December letter shared that a threat actor used a stolen key from identity-management vendor BeyondTrust “to override the service’s security, remotely access certain Treasury [departmental office] user workstations, and access certain unclassified documents maintained by those users.”
A Dec. 31 blog post from Check Point Software Technologies recommended defenses to guard against remote-access compromises, including encryption of corporate documents and assessments of supply-chain vendors and their security track record.
“You can’t predict the future, but you can predict, based on past behavior, how fast those companies react to issues that they’ve had,” Tony Sabaj, Check Point’s head of channel security engineering for the Americas, told us.
BeyondTrust has shared details of its investigation, which began on December 5, 2024, when a root-cause analysis determined an API key for remote support had been compromised. (The Treasury letter to lawmakers stated that the company notified the department on Dec. 8 that a threat actor had gained access to a key.)
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Anomaly crossing. Check Point’s post also recommended implementing behavior-modeling tools “to detect unusual API calls or unexpected user behavior.”
Birdsey said the Treasury’s cyber incident highlights the importance of monitoring with endpoint detection and response (EDR) tools and security operations centers. SOCs, he said, provide alerts of anomalies, like actions from an unlikely IP address, or actions performed at an unexpected time of day.
“If you accept that security breaches are often very difficult to prevent altogether, and particularly where there’s a supply-chain risk or a supply-chain component, where it’s not necessarily your environment that’s targeted in the first place, as appears to be the case here, then actually identifying unexpected, unauthorized, and anomalous activity is a really, really good area to focus on,“ Birdsey said.
The attack on the Treasury follows a November announcement from CISA stating that threat actors from the People’s Republic of China (PRC) compromised multiple telecom networks in an espionage campaign to “compromise private communications of a limited number of individuals who are primarily involved in government or political activity.”
“At this time, there is no indication that any other federal agencies have been impacted by this incident,” CISA wrote in an update on Jan. 6.
As of January 3, both BeyondTrust and the US Treasury did not respond to requests for comment.