US Treasury Says Chinese Hackers Stole Documents In 'Major Incident'

An anonymous reader quotes a report from Reuters: Chinese state-sponsored hackers broke into the U.S. Treasury Department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday. The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a "major incident."

According to the letter, hackers "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." After being alerted by cybersecurity provider BeyondTrust, the Treasury Department said it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact. Developing...

What's the over / under?

[93 Escort Wagon]

In weeks, that is, before we learn that classified documents were also stolen?

Re:

[Geoffrey.landis]

Not sure what classified information the treasury would have.

What they probably have plenty of is CUI, "Controlled Unclassified Information"; stuff is not public, but is access-controlled.

Re:What's the over / under?

[Jayhawk0123]

treasury works with law enforcement and intel agencies on multiple fronts - money laundering, organized crime, funding operations, asset seizures, tracking money used to fund terrorism, foreign operations, plus data that will be driving policy decisions, etc...

gonna say they would have access to some very juicy classified information.

what is frustrating, is that this will go without any reciprocity/consequences. We call these incidents "hacks".. but when it's a nation state doing it - it is an ATTACK... not sure why this is being consistently normalized.

This isn't some guy in their basement trying to get stock info to leverage for trading and make a few extra bucks. They had a goal for this attack, and it wasn't to help out the US.

A small known collection of known attacks/hacks : https://www.csis.org/programs/... [csis.org]

Re:

[Geoffrey.landis]

treasury works with law enforcement and intel agencies on multiple fronts - money laundering, organized crime, funding operations, asset seizures, tracking money used to fund terrorism, foreign operations, plus data that will be driving policy decisions, etc... gonna say they would have access to some very juicy classified information.

We are apparently using different definitions of "classified". Law enforcement information is not typically classified by the government definition of the word, in that you don't need a security clearance.

So public info then?

[GameboyRMH]

If the US government doesn't classify something you can be sure it's totally inconsequential public information. The most damage this likely did was to the individual employees' privacy.

But it might've been just luck that nothing juicy was handled on these workstations.

BeyondTrust security provider breached

[will4]

TL;DR;
- Outsourcing desktop support to a remote off-site third party allowed this breach to happen

From the article https://www.reuters.com/techno... [reuters.com]
US Treasury says Chinese hackers stole documents in 'major incident' - By Raphael Satter and A.J. Vicens - December 30, 20245:00 PM CST

Chinese state-sponsored hackers breached the U.S. Treasury Department's computer security guardrails this month and stole documents in what Treasury called a "major incident,"
- hackers compromised third-party cybersecurity servi

Re:

[Tailhook]

If the US government doesn't classify something

The way this works is; the initial report misstates the severity. After the big headlines, the severity increases, and subsequent headlines — now less interesting and easily overlooked — get closer to the truth.

Oy Vey

[divide overflow]

Oh, the irony...their cybersecurity service provider was also their primary security vulnerability.
A recurring issue in modern systems security.

Yeah.

[Brain-Fu]

Security is kind of expensive to implement. It is, in fact, more than zero dollars above the cost of implementing features that basically work, and that makes it too expensive for most for-profit businesses to bother.

Even when lives are on the line, as we have seen with medical devices and hospital hacks.

In my past jobs I have sometimes found myself in the position of trying to justify spending more for security measures to protect against attacks that the business team thinks are unlikely or only possible in theory but not in practice. The whole "defense in depth" thing doesn't make business sense because you wind up defending against attacks in a zone that should already be defended against attacks, so often it just doesn't make the cut.

They aren't held accountable if they get hacked. Their business might go under but they will have already made a fortune for themselves by then, so they have no incentive to care.

Re:

[Tablizer]

"FireEye" security software was hacked in 2021.

Re:

[Bongo]

ChatGPT:

The phrase “Who guards the guardians?” originates from the Latin question “Quis custodiet ipsos custodes?”, which translates to “Who will guard the guards themselves?” or “Who watches the watchmen?” This phrase is attributed to the Roman poet Juvenal, who included it in his Satires (Satire 6).

Original Context:

In Juvenal’s work, the phrase appears in the context of discussing marital fidelity and corruption. Specifically, Juvenal questions how one

"Major" doesn't necessarity mean major

[innocent_white_lamb]

The US government classifies a breach as "major" if it's undertaken by a nation-state.

"Major" has nothing to do with the actual extent of the breach, just who's behind it.

What is "worst" here is the lack of IT security

[gweihir]

Chinese hackers are not that great or powerful. If they get into critical systems, these systems were incompetently secured. Time to make such crap have _personal_ consequences for the decision makers or it will only get worse.

Re:

[Fly Swatter]

So that there is someone else to blame. Also it is the government, so it is also so that some politician's friend's company gets the fat contract.

Re:

[Mirnotoriety]

> .. it is the government, so it is also so that some politician's friend's company gets the fat contract.

What he said!

Remote Management == RAT

[silentbozo]

The features that a remote management tool provides are pretty much identical to a remote access trojan, plus bonus ability to do things like remotely lock and purge laptops. We've seen this abused in attacks on iCloud users:

https://www.wired.com/2012/08/... [wired.com]

"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my Appl

RTO

[bill_mcgonigle]

Ah, this is how they will enforce an RTO mandate and get a 70% attrition rate.

Excluding janitors and maintenance people only 3% of Federal workers go to work at the office.

Maybe for NatSec stuff that's a bad idea. Plenty of private sectors opportunities for the pajama class.

And to be clear I would rather be in the pajama class than work in DC.

Did you do your BOI Reports?

[NaCh0]

The Dept of Treasury is the group responsible for maintaining a new invasive database of identification for every small business owner in the US. This is called a BOI report.

For now courts have an injunction blocking the BOI report mandate, thank goodness. Once again privacy experts were correct. Don't overshare your info with the government.

Re:

[Fly Swatter]

If you are offered protection from personal liability by forming a Corporation or LLC, what is wrong with the public knowing who actually owns the company? What do you have to hide?

Sure it's a hassle, but forming a business is a privilege not a right - or at least it should be.

Re:

[NaCh0]

They already have the data. It was reported on my SS-4 EIN application.

You don't see the irony of an ever-expanding government mandating I submit my government issued identification over and over and over again?

It's textbook over-regulation.

Mergers and Acquisitions strikes again.

[Fly Swatter]

According to CNN, that third party was BeyondTrust [wikipedia.org] Just look at the ownership history of that company and the Trademarked name. It's like a game of hot potato.

It is now owned by a private equity firm, how can anyone be shocked that this happened?

Chinese stole documents :o

[Mirnotoriety]

a. Do you mean they copied computer files?

b. Secure and cloud-based service don't go in the one sentence.

c. Would these Chinese state-sponsored hackers be so stupid as to be traced back to East Chang'an Street?

Re:

[PPH]

c. Would these Chinese state-sponsored hackers be so stupid as to be traced back to East Chang'an Street?

Why? Whatcha gonna do about it?

Easy solution

[Ahnilated1]

STOP PUTTING YOUR TOP SECURITY STUFF ONLINE!! How stupid are these people to connect highly secure stuff to the internet? There is a very good reason for air gaped servers, why do people not seem to use them? Oh yeah, they are to lazy to go into the office to get on the server.

Privacy is over

[La Onza]

Network privacy is an old, worn out, virtually irrelevant concept that is on it's way out and not aging well. The best approach is to assume it's over and done with. Time to be adults and move on.

Great Firewall Of China

[0xG]

I have always thought that it should face the opposite direction.
*We* should be blocking *them*.