New information from US Treasury Department officials indicates that the early December breach of its workstations was the work of China’s state-sponsored hackers, and that they got in via a stolen API key.
The hackers stole unclassified documents during the raid, but little else is known about what they accessed. The attackers appear to have obtained the API key from a third-party vendor called BeyondTrust, a security and technical support provider for Treasury workstations. Both BeyondTrust and the Treasury continue to work with CISA, the FBI, US intelligence agencies and third-party forensic investigators, but the state-sponsored hackers appear to have been removed from the system at this point.
Chinese state-sponsored hackers once again grab headlines
A letter to lawmakers from Treasury officials, part of a mandatory update process on the incident, indicates that the attribution to Chinese state-sponsored hackers is based on “available indicators.” More details are required by the government within 30 days. The attribution is not at all surprising given recent attacks linked to China’s advanced persistent threat (APT) teams, which include breaches of multiple government agencies and lawmaker inboxes as well as a deep penetration of the country’s major wireless carriers.
It is not clear exactly how the API key was stolen, but it reportedly provided access only to select Treasury workstations that officials say only stored unclassified documents. BeyondTrust first publicly shared information about the attack via its website on December 8, but the breach of the “Remote Support” product was first discovered on December 2 and that impacted customers began receiving notifications about the issue on December 5.
Though the Treasury has thus far downplayed the impact of the incursion and not indicated any particular national security threat, the agency says that it is policy to declare any attacks attributed to state-sponsored hackers as “major cybersecurity incidents.” There has also not yet been a specific attribution as to who stole the API key. The natural assumption would be “Salt Typhoon,” the group making headlines throughout 2024 for its breach of the nation’s three major phone carriers and assorted government agencies. That situation remains unresolved, and has become so bad that senior government officials have been advised to switch to end-to-end encrypted messaging apps like Signal for their communications.
API keys increasingly targeted by threat actors
Though the two incidents are not necessarily related, the documented campaign by “Salt Typhoon” remains unresolved and continued to expand as of the close of 2024. On December 29, a high-level White House official told media sources that the count of telecoms and ISPs compromised by the state-sponsored hackers had expanded to nine. The campaign is also not limited to the US, now thought to touch “dozens” of countries as the Chinese hackers have burrowed deep into communications infrastructure around the world.
The official also suggested that the state-sponsored actors are heavily focused on spying on individuals in the “Washington-Virginia area,” suggesting government employees and defense contractors. The Federal Communications Commission (FCC) has scheduled a meeting this month to discuss updating required cybersecurity practices for the telecoms industry in response to this hacking campaign. In December, the agency issued a Declaratory Ruling confirming that telecoms carriers are legally obligated to defend their networks from hackers under the Communications Assistance for Law Enforcement Act. Voluntary security measures appear to be at an end for the industry, which was already formally viewed as critical infrastructure and subject to new requirements put in place during the tenure of the Biden administration.
In the meantime, API keys are becoming a more popular target for common criminals as well as state-sponsored hackers. This is likely tied to ever-increasing API use in cloud environments. API keys are also notoriously easy to lose track of, sometimes being stuffed away in repositories or code where they are readily found by attackers. They can even make their way into public-facing storage, ready to be exposed by anyone using simple scanning tools such as SHODAN.
As the Treasury breach demonstrates (at least as reported thus far), theft of the API keys may not directly lead to exposure of particularly concerning data. But it can easily lead to privilege escalation, or be put to use as part of a malicious denial-of-service attack. API key rotation certainly helps to reduce this attack vector, but the priority that criminals have placed on it has led to the development of sophisticated malware packages that can quickly harvest and deploy keys. “Cleaning” API keys is particularly critical in the wake of known breaches, as attackers have likely obtained them during their breach window and can use them to re-establish access.
Itzik Alvas, CEO and co-founder of Entro Security, expands on the potential damage that loss of API keys can cause: “APIs – a form of interactions that are triggered by both users and machines – are often exploited to provide attackers with outsized access to backend infrastructure and resources. After compromising an API, attackers quickly move laterally to identify and compromise additional exposed human and non-human identities (NHIs) throughout the environment. In this incident, attackers exploited vulnerabilities in a remote tech support software, including misusing a leaked API key to gain unauthorized access. This breach is a reminder of how important it is to adopt next generation, advanced security measures to secure every layer of access within the IT ecosystem, both human and non-human. To avoid such breaches, organizations must adopt a proactive security posture that includes implementing zero trust principles, enhancing API key and secrets management practices to detect anomalies in real-time.”
