alt=Department of the Treasury building exterior, showcasing its classical architecture and prominent entrance.
Cyber security
2025-01-02 Post a Comment

US Treasury hacked: Are China and the US stepping up their cyberwar?

Department of the Treasury calls cyberattack a ‘major incident’, accuses China-backed hackers.

By Sarah Shamim

The United States Department of the Treasury on Monday blamed China for breaching its network and gaining access to information that includes unclassified documents.

Beijing has denied the allegation, calling it “groundless”.

Keep reading

list of 4 items

end of list

The alleged hacking comes weeks after Beijing accused Washington of carrying out two cyberattacks on Chinese technology firms.

With Washington and Beijing trading blame, we assess the history of cyberwarfare between the world’s two largest economies and whether it has intensified.

Who hacked the US Treasury Department?

The US Treasury Department accused Chinese state-sponsored hackers of breaking into its system this month and accessing employee workstations and unclassified documents.

The department said the hackers gained access by overriding a security key used by third-party cybersecurity provider BeyondTrust, which provides technical support remotely to Treasury employees.

The Treasury Department made these details public on Monday in a letter to the US Congress. The attack was caused by “a China-based Advanced Persistent Threat (APT) actor”, the letter said.

The department, however, did not specify the number of workstations compromised, the nature of the files, the exact timeframe of the hack and the confidentiality level of the stations compromised.

On December 8, Treasury was alerted about a hack by BeyondTrust. The BBC reported that BeyondTrust first suspected unusual activity on December 2 but took three days to determine it was hacked.

How did the US Treasury Department respond?

The department said there is no evidence that the hackers still have access to department information and the compromised BeyondTrust has been taken offline.

It is assessing the impact of the hack with the assistance of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The hack is being investigated as a “major cybersecurity incident”.

The department’s letter to Congress added that supplemental information about the attack would be sent to US lawmakers in 30 days.

“Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” a spokesperson for the department said in a separate statement.

How has China responded?

China has denied the department’s accusations, and its Ministry of Foreign Affairs said Beijing condemns all forms of hacker attacks.

“We have stated our position many times regarding such groundless accusations that lack evidence,” ministry spokesperson Mao Ning was quoted as saying by the AFP news agency.

A spokesperson for the Chinese embassy in the US, Liu Pengyu, denied the department’s allegations. “We hope that relevant parties will adopt a professional and responsible attitude when characterising cyber-incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” he said, according to a BBC report.

“The US needs to stop using cybersecurity to smear and slander China and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”

Are the US and China ramping up cyberattacks against each other?

While the US has blamed China for cyberattacks over the years, Beijing has also accused Washington of hacking its critical cyber-infrastructure in recent years.

Here’s a brief timeline of recent cyberattacks claimed by the two nations:

On December 18, China’s National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC) released a statement saying two US cyberattacks since May 2023 tried to “steal trade secrets” from Chinese technology firms.

On December 5, US Deputy National Security Adviser Anne Neuberger said a Chinese hacking group called Salt Typhoon had obtained communications of senior US government officials but classified information was not compromised.

A month earlier, on November 13, the FBI and CISA said they had uncovered a broad cyberespionage campaign carried out by China-linked hackers.

The US alleged that the hackers had compromised “private communications of a limited number of individuals”. While it did not specify who these individuals were, they were “primarily involved in government or political activity”, the FBI and CISA said.

Weeks before the US elections in November, the FBI launched an investigation after reports alleged Chinese hackers had targeted mobile phones of President-elect Donald Trump and Vice President-elect JD Vance as well as people associated with Kamala Harris, the Democratic presidential candidate in the race.

In July 2023, US tech giant Microsoft said the China-based hacking group Storm-0558 breached email accounts at about 25 organisations and government agencies. The breached accounts included those belonging to US Department of State staff.

In March, the US and United Kingdom accused China of carrying out a sweeping cyberespionage campaign that allegedly hit millions of people, including lawmakers, journalists and defence contractors. The two countries slapped sanctions on a Chinese company after the incident. A month before, US authorities said they had dismantled a China-sponsored hacker network called Volt Typhoon.

In response, China called the charges “completely fabricated and malicious slanders”.

In March 2022, China said it experienced a series of cyberattacks that mostly traced back to US addresses. Some were also traced back to the Netherlands and Germany, according to CNCERT/CC.

 

Video Duration 3 minutes 57 seconds
  • Now Playing

    Video Duration 03 minutes 57 seconds
    China cyber-attacks: Beijing calls UK & US accusations 'groundless'

    China cyber-attacks: Beijing calls UK & US accusations ‘groundless

Why are cyberattacks launched?

State-sponsored actors are regularly accused of launching cyberattacks against adversaries that range from state institutions to politicians and activists. They aim to gain unauthorised access to confidential data and trade secrets or disrupt economies and critical infrastructure.

Advertisement

“The US and China have had a history of using cyberdefence to further their national security aims,” Rebecca Liao, the Co-Founder and CEO at web3 protocol Saga, told Al Jazeera.

“While espionage against state actors is an accepted practice, the US has protested against China’s rampant cyberattacks against US commercial entities,” said Liao, who was a member of President Joe Biden’s 2020 and Hillary Clinton’s 2016 presidential campaigns, advising on China, technology and Asia economic policy.

“It is obviously not diplomatically wise to build a track record of resorting to espionage. That’s why Beijing has been so swift to deny all allegations.”

With the development of digital technology, cyberattacks are on the rise worldwide, according to the German Institute for International and Security Affairs (SWP). Data from the SWP shows that cyberattacks went up from 107 in 2014 to 723 in 2023.

Cyberattacks are also carried out by individuals or organised groups who want to steal data and money.

How can countries protect themselves from cyberattacks?

The US and China “should spearhead a treaty on the responsible use of the cyberspace”, wrote researchers Asimiyu Olayinka Adenuga and Temitope Emmanuel Abiodun from the Political Science Department at Nigeria’s Tai Solarin University in an article published this year.

They cited the example of the treaties signed between the US and Soviet Union as a result of the Strategic Arms Limitations Talks, SALT I and SALT II, in 1972 and 1979. The two Cold War superpowers signed the treaties to establish US-Soviet stability by limiting their production of nuclear weapons.

In their article, the Tai Solarin researchers added that there is a need for further technological development, particularly in quantum computing, that will make it harder to execute cyberattacks.

Victor Atkins, a fellow with the Indo-Pacific Security Initiative of the US think tank Atlantic Council, wrote in a February article that the US “should launch an expansive new multilateral cyber threat intelligence sharing coalition in the Indo-Pacific” to combat cyberattacks from China.

“A decade ago, there were some suggestions about convening an international body around cybersecurity to come up with standards or codes of conduct that participating nations would abide by,” Liao, the tech expert, said.

“However, none of these efforts have yielded fruit, and it is up to each individual country to protect against cyberattacks.”

Governments currently are working on developing cybersecurity infrastructure such as firewalls to protect themselves from cyberattacks such as hacking.

An article published by the University of Miami added that countries employ other practices to counter cyberthreats. These include testing these cyberthreats in a simulated environment. “Cyber teams constantly undergo training exercises, similar to the military,” the article said.

 

read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2024-12-30 Post a Comment

30th December – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours to initiate ransom negotiations before publicly disclosing their identities. This incident mirrors Clop’s previous exploitation of zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer.

Check Point Harmony Endpoint, Threat Emulation and IPS provide protection against this threat (Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.* ; Cleo Arbitrary File Upload (CVE-2024-50623))

  • Pittsburgh Regional Transit (PRT) experienced a ransomware attack last week, resulting in service disruptions to its rail system and customer service operations. While transit services have resumed normal operations, certain rider services, such as processing ConnectCards, remain affected. The investigation, involving law enforcement and cybersecurity experts, is ongoing, with no confirmation yet regarding data theft or the group responsible for the attack.
  • Cyberhaven has been a victim of a cyber-attack that resulted in distribution of a malicious update for its Chrome browser extension. The compromised extension was able to exfiltrate users’ sensitive information, including authenticated sessions and cookies.
  • Cariad, Volkswagen’s automotive software subsidiary, exposed data from 800,000 electric cars, including sensitive geo-location information, due to misconfigured IT applications. The exposed data included details of vehicles from VW, Seat, Audi, and Skoda, with precise locations for 460,000 cars and pseudonymized user data. The Chaos Computer Club identified the vulnerability, enabling access to terabytes of unprotected customer information stored in Amazon cloud storage.
  • Japan Airlines has resumed to normal activity following a cyberattack that caused delays in domestic and international flights. The attack involved a sudden surge in network traffic, indicative of a distributed denial-of-service (DDoS) attack, affecting data communication with external systems. No customer information was leaked, and flight safety remained uncompromised.
  • ZAGG Inc., a consumer electronics accessories maker, has disclosed a data breach resulting in the exposure of customers’ payment card information. The breach occurred between October and November 2024, due to malicious code injected into the FreshClick app, a third-party application provided by their e-commerce platform, BigCommerce.
  • The European Space Agency’s (ESA) official merchandise store was hacked, causing it to display a fake payment page designed to steal customer payment card details.

VULNERABILITIES AND PATCHES

  • A critical SQL injection vulnerability (CVE-2024-45387), rated 9.9 on the CVSS scale, has been identified in Apache Traffic Control versions 8.0.0 and 8.0.1. The flaw allows privileged users with specific roles to execute arbitrary SQL commands in the database via crafted PUT requests. The issue has been patched in version 8.0.2.

Check Point IPS provides protection against this threat (Apache Traffic Control SQL Injection (CVE-2024-45387))

  • A critical vulnerability (CVE-2024-52046) with a maximum CVSS score of 10.0, has been discovered in Apache MINA, a Java network application framework. The flaw arises from the ObjectSerializationDecoder’s use of Java’s native deserialization protocol without adequate security measures, enabling attackers to execute remote code by sending malicious serialized data.
  • Palo Alto Networks has disclosed an actively exploited Denial of Service (DoS) vulnerability (CVE-2024-3393) affecting PAN-OS software. The flaw allows unauthenticated attackers to send malicious packets that force affected firewalls into reboot or maintenance mode, disrupting firewall protection. The issue impacts devices with DNS Security logging enabled and has been patched in versions PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3.
  • A high-severity OS command injection vulnerability (CVE-2024-12856) has been identified in Four-Faith router models F3x24 and F3x36. Exploitation via default credentials may enable unauthenticated OS command execution. Over 15,000 internet-facing devices are at risk, with evidence suggesting active exploitation since at least early November 2024.

Check Point IPS provides protection against this threat (Four-Faith F3x Series Command Injection (CVE-2024-12856))

THREAT INTELLIGENCE REPORTS

  • Researchers have observed “OtterCookie”, a new malware used in the North Korean-associated Contagious Interview campaign. This financially motivated campaign targets a broad range of victims and is active in Japan. OtterCookie communicates via Socket.IO, executes shell commands to exfiltrate sensitive data, including cryptocurrency keys, and uses clipboard data collection to enhance its capabilities.
  • Researchers have identified heightened activity by the Paper Werewolf (aka GOFFEE) cluster, conducting at least seven campaigns targeting Russian organizations since 2022. Using phishing PowerShell and PowerRAT, and emails with malicious macros, the group conducts espionage and destructive ops, including disabling IT infrastructure and changing account credentials. The arsenal includes custom implants, reverse shells, and malicious IIS modules for credential harvesting.
  • Researchers have analyzed the increased activity from botnets like the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN,” which exploit long-standing vulnerabilities in D-Link devices to execute malicious commands via the HNAP interface.
read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights