Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
US Cyber Defense Agency Aids in Investigation of Major Cyber Incident
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is currently assisting investigations into a sophisticated cybersecurity breach linked to Beijing that affected the Department of Treasury. The attack, which authorities describe as an escalation in a series of significant intrusions into U.S. critical infrastructure, specifically aimed to obtain insights regarding future sanctions on Chinese firms.
Investigators identified that this breach struck divisions within the Department of Treasury, including the Office of Foreign Assets Control (OFAC), which is responsible for enforcing sanctions. Following the discovery of this incident in December, Treasury officials promptly halted cloud support services from the affected contractor, BeyondTrust, as a precautionary measure (see: Chinese Hackers Breach US Treasury in ‘Major Incident’).
In a statement released last Monday, CISA confirmed its ongoing collaboration with the Treasury and BeyondTrust to accurately assess and mitigate the repercussions of this recent cybersecurity incident. The interference aligns with a broader pattern of aggressive cyber operations attributed to Chinese adversaries against U.S. industries and government networks.
Experts have indicated that these attacks are part of a strategic preparation by Beijing for potential future confrontations with the U.S., particularly regarding geopolitical tensions such as those surrounding Taiwan. To counter this emerging threat landscape, the Biden administration has already implemented a series of sanctions targeting Chinese actors engaged in cyber operations (see: US Sanctions Beijing Company for Flax Typhoon Hacking).
BeyondTrust, the contractor impacted by the breach, is nearing the conclusion of an extensive forensic investigation into its remote support services. They confirmed that all identified vulnerabilities have been patched, including a specific fix for self-hosted instances of their software. Additionally, the company stated that no other customers have been affected, a claim supported by CISA, which reported no signs of impact on other federal agencies.
Following the identification of the breach, Treasury acting officials quickly involved CISA to investigate the compromise of remote workstations that utilized BeyondTrust’s cloud services. While CISA has refrained from public comments at this stage, it has emphasized the critical importance of safeguarding federal systems and the sensitive data they handle for national security.
In this incident, the primary target has been the U.S. Department of Treasury, specifically its sanctions enforcement divisions. The attack is attributed to Chinese adversaries, reminiscent of earlier tactics outlined in the MITRE ATT&CK framework, including initial access and privilege escalation techniques. The layered nature of the attack suggests a sophisticated understanding of the organizational structure within U.S. federal agencies, aiming to extract strategic information beneficial to future operations.
