Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
WASHINGTON (AP) — Chinese hackers remotely accessed several U.S. Treasury Department workstations and unclassified documents after compromising a third-party software service provider, the agency said Monday.
The department did not provide details on how many workstations had been accessed or what sort of documents the hackers may have obtained, but it said in a letter to lawmakers revealing the breach that “at this time there is no evidence indicating the threat actor has continued access to Treasury information.” It said the hack was being investigated as a “major cybersecurity incident.”
“Treasury takes very seriously all threats against our systems, and the data it holds,” a department spokesperson said in a separate statement. “Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors.”
The revelation comes as U.S. officials are continuing to grapple with the fallout of a massive Chinese cyberespionage campaign known as Salt Typhoon that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans. A top White House official said Friday that the number of telecommunications companies confirmed to have been affected by the hack has now risen to nine.
The Treasury Department said it learned of the problem on Dec. 8, when a third-party software service provider, BeyondTrust, flagged that hackers had stolen a key “used by the vendor to secure a cloud-based service used to remotely provide technical support” to workers. That key helped the hackers override the service’s security and gain remote access to several employee workstations.
The compromised service has since been taken offline, and there’s no evidence that the hackers still have access to department information, Aditi Hardikar, an assistant Treasury secretary, said in the letter Monday to leaders of the Senate Banking Committee.
The department said it was working with the FBI and the Cybersecurity and Infrastructure Security Agency and others to investigate the impact of the hack, and that the hack had been attributed to Chinese state-sponsored culprits. It did not elaborate.
U.S. Treasury says its computers were hacked by a Chinese 'threat actor' in a 'major incident'
The U.S. Treasury Department said a state-sponsored Chinese hacking operation was able to access third-party software to tap into desktop computers of Treasury employees in what the department is calling "a major incident."
In a letter seen by NBC News, Aditi Hardikar, assistant secretary for management of the U.S. Department of the Treasury, wrote that the office was notified on Dec. 8 of the breach. The letter is addressed to Sen. Sherrod Brown, D-Ohio, and Sen. Tim Scott, R-S.C., the chairman and ranking member, respectively, of the Committee on Banking, Housing and Urban Affairs.
The information accessed by the “threat actor” included unclassified documents, according to the letter.
Hardikar wrote that the U.S. Treasury was told by "a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users."
With this access, the "threat actor" was able to override certain security measures and get into the department's user workstations.
The U.S. Treasury has been working with the Cybersecurity and Infrastructure Security Agency, the FBI and other members of the intelligence community, as well as "third-party forensic investigators to fully characterize the incident and determine its overall impact," the letter reads.
In a statement to NBC News, a Treasury spokesperson cited the contents of the letter, saying that "the compromised BeyondTrust service has been taken offline" and that there is "no evidence indicating the threat actor has continued access to Treasury systems or information."
"Treasury takes very seriously all threats against our systems, and the data it holds. Over the last four years, Treasury has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial system from threat actors," the statement reads in part.
Fellow agencies helped the U.S. Treasury deduce that the breach came from a Chinese hackers, according to the letter.
The letter states that a supplemental report will be made available in 30 days.
Exclusive: US government agencies hit in global cyberattack
Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.
The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”
Aside from US government agencies, “several hundred” companies and organizations in the US could be affected by the hacking spree, a senior CISA official told reporters later Thursday, citing estimates from private experts.
Clop, the ransomware gang allegedly responsible, is known to demand multimillion-dollar ransoms. But no ransom demands have been made of federal agencies, the senior official told reporters in a background briefing.
CISA’s response comes as Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered a second vulnerability in the code that the company was working to fix.
The Department of Energy is among multiple federal agencies breached in the ongoing global hacking campaign, a department spokesperson confirmed to CNN.
The hacks have not had any “significant impacts” on federal civilian agencies, CISA Director Jen Easterly told reporters, adding that the hackers have been “largely opportunistic” in using the software flaw to break into networks.
The news adds to a growing tally of victims of a sprawling hacking campaign that began two weeks ago and has hit major US universities and state governments. The hacking spree mounts pressure on federal officials who have pledged to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.
Since late last month, the hackers have been exploiting a flaw in widely used software known as MOVEit that companies and agencies use to transfer data. Progress Software, the US firm that makes the software, told CNN Thursday that a new vulnerability in the software had been discovered “that could be exploited by a bad actor.”
“We have communicated with customers on the steps they need to take to further secure their environments and we have also taken MOVEit Cloud offline as we urgently work to patch the issue,” the company said in a statement.
Agencies were much quicker Thursday to deny they’d been affected by the hacking than to confirm they were. The Transportation Security Administration and the State Department said they were not victims of the hack.
The Department of Energy “took immediate steps” to mitigate the impact of the hack after learning that records from two department “entities” had been compromised, the department spokesperson said.
“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement.
One of the Department of Energy victims is Oak Ridge Associated Universities, a not-for-profit research center, a department spokesperson told CNN. The other victim is a contractor affiliated with the department’s Waste Isolation Pilot Plant in New Mexico, which disposes waste associated with atomic energy, the spokesperson said.
Federal News Network first reported on the Department of Energy victims.
Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that “sensitive personal and financial information,” including health billing records may have been stolen in the hack.
Meanwhile, Georgia’s state-wide university system – which spans the 40,000-student University of Georgia along with over a dozen other state colleges and universities – confirmed it was investigating the “scope and severity” of the hack.
CLOP last week claimed credit for some of the hacks, which have also affected employees of the BBC, British Airways, oil giant Shell, and state governments in Minnesota and Illinois, among others.
The Russian hackers were the first to exploit the MOVEit vulnerability, but experts say other groups may now have access to software code needed to conduct attacks.
The ransomware group had given victims until Wednesday to contact them about paying a ransom, after which they began listing more alleged victims from the hack on their extortion site on the dark web. As of Thursday morning, the dark website did not list any US federal agencies. Instead, the hackers wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
The CLOP ransomware group is one of numerous gangs in Eastern Europe and Russia that are almost exclusively focused on wringing their victims for as much money as possible.
“The activity we’re seeing at the moment, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” Rafe Pilling, director of threat research at Dell-owned Secureworks, told CNN.
This story has been updated with additional developments.
Microsoft Office 365 Email Hacked By Hack-To-Trade Fraudster, SEC Says
A 39-year-old U.K. resident has been arrested and charged with operating a hack-to-trade fraud, which generated millions of dollars by hacking Microsoft Office 365 email accounts. The alleged hacker, Robert Westbrook, a London resident, was arrested in the U.K. “with a view towards extradition to the United States” where he faces charges of securities fraud, wire fraud and five counts of computer fraud.
According to a statement published by Philip R. Sellinger, through the U.S. Attorney's Office, District of New Jersey, Westbrook is alleged to have gained unauthorized access to Microsoft Office 365 email accounts on at least five occasions between January 2019 and May 2020. These accounts are said to have belonged to corporate executives which gave the hacker access to confidential information regarding not yet public earnings announcements. This information was then used, the indictment said, to “execute profitable securities transactions on the NYSE and NASDAQ exchanges.”
In other words, the hacker is said to have purchased securities using confidential earnings information that were then quickly sold after the earnings data was made public. According to the New Jersey Attorney's Office, Westbrook is thought to have made substantial profits, more than $3 million in total.
Although full details of how the alleged hacker managed to compromise the Microsoft Office 365 accounts of the five executives haven’t been made public at this point, there are plenty of clues that this was most likely a targeted phishing or spoofing attack against them in the first place. The first clue is that Westbrook reset the passwords of the senior-level executives’ accounts, according to a statement published by the U.S. Securities and Exchange Commission. “Westbrook took multiple steps to conceal his identity,” Jorge G. Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit, said, “including using anonymous email accounts, VPN services, and utilizing bitcoin.”
The New Jersey Attorney's Office also said that, on several occasions, the hacker “implemented auto-forwarding rules designed to automatically forward content from the corporate executives’ compromised email accounts to email accounts controlled by Westbrook.”
If successfully extradited from the U.K. and found guilty of the charges of securities fraud, Westbrook faces a maximum penalty of up to 20 years of jail time and a fine of $5 million. The wire fraud charge also carries a 20-year prison term, with a fine of up to $250,000. The lesser computer fraud charges bring a potential five-year prison term and fines of $250,000. Both of the $250,000 fines could be substantially higher as the charges allow for the fine to be twice the profit made from the offense, estimated at $3 million.
However, it is important to remember that the charges and allegations in the indictment are just that, accusations, at this moment in time. The defendant is presumed innocent unless and until proven guilty in a court of law.
I have reached out to Microsoft for a statement.
