A major US government data breach linked to Chinese threat actors was confined to the Treasury, a leading security agency has claimed.
The US Cybersecurity and Infrastructure Security Agency (CISA) shared the news in a brief bulletin on Monday.
“CISA is working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident,” it noted.
“At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response.”
Read more on Chinese hackers: US Warns of Destructive Chinese Cyber-Attacks
The Treasury was first notified about the attack on December 8 last year, after third-party security vendor BeyondTrust revealed that a threat actor had accessed a key used by the company to secure a cloud-based remote support service.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury Departmental Offices user workstations, and access certain unclassified documents maintained by those users,” a Treasury official wrote in a letter to a Senate committee.
Experts questioned at the time whether the threat actors may have used the same technique to target other BeyondTrust customers.
“The security of federal systems and the data they protect is of critical importance to our national security,” the CISA statement concluded. “We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate.”
Reports suggest that the China-linked APT group targeted the Treasury’s Office of Financial Research and the Office of Foreign Assets Control (OFAC). The latter leads the US government’s sanctions programs, so the most plausible explanation is that Beijing wanted to learn which Chinese organizations and individuals are being mooted for punitive action in the future.
Just last week, Beijing-based Integrity Technology Group was sanctioned for allegedly helping Chinese threat group Flax Typhoon operate a large-scale botnet targeting US, European, African and Taiwanese networks.