Friday, January 03, 2025

US Department of Treasury Data Breached

Security Incident Overview

The US Department of Treasury experienced a major cybersecurity incident involving unauthorized access through a third-party service provider, BeyondTrust, on December 8, 2024[1]. A China state-sponsored Advanced Persistent Threat (APT) actor gained access to a security key used for cloud-based technical support services[1].

Incident Impact and Response

Breach Details
The threat actor successfully:

  • Obtained access to a security key for BeyondTrust's cloud service
  • Overrode service security measures
  • Accessed Treasury Departmental Offices (DO) user workstations
  • Retrieved certain unclassified documents[1]

Response Measures
The Treasury engaged multiple agencies and resources in response:

  • Cybersecurity and Infrastructure Security Agency (CISA)
  • Federal Bureau of Investigation (FBI)
  • Intelligence Community
  • Third-party forensic investigators[1]

BeyondTrust Service

BeyondTrust operated as a third-party software service provider offering cloud-based technical support for Treasury DO end users. Following the incident, the compromised service was taken offline[1]. The Treasury confirmed no evidence of continued unauthorized access to Treasury information[1].

APT Incidents and Treasury Policy

Classification
The Treasury classifies any intrusion attributable to an APT as a major cybersecurity incident, requiring specific reporting and response protocols[1].

Preventive Measures
The Treasury has implemented several protective measures:

  • Investments through the Cybersecurity Enhancement Account (CEA)
  • Enhanced incident response processes
  • Comprehensive logging systems
  • Immediate engagement with security agencies[1]

Regulatory Compliance

The incident triggered reporting requirements under:

  • Federal Information Security Modernization Act of 2014 (FISMA).
    • The Treasury Department was required to notify the Committee on Banking, Housing and Urban Affairs of the situation.
  • OMB Memorandum 24-04
  • Treasury policy guidelines[1]

A future supplemental 30-day report will provide additional details about the incident as required by FISMA and OMB guidance[1].

Citations:
[1] https://pplx-res.cloudinary.com/image/upload/v1735767931/user_uploads/urLJfwaVDptrnxW/Screenshot-2025-01-01-at-11.31.11.jpg


 

Posted by at
Labels: ,

No comments:

Post a Comment

Thank you for your thoughtful comments.

Subscribe to: Post Comments (Atom)