Chinese state-sponsored hackers have been at work on US government agencies yet again, this time blamed for a recent breach of Treasury Department workstations. Officials from the agency have said that the threat actors used a stolen API key, taken from a third-party security and technical support contractor.
There is not yet much detail on how the API key was stolen, but the incident investigation is ongoing and involves multiple federal agencies as well as third-party forensic teams. The agency said that Chinese state-sponsored hackers were fingered due to unspecified “indicators” and that the threat is no longer present in the system, but did have access to some unclassified files during the breach window.
Use of API keys on the rise as a first breach step
It is not clear if the Salt Typhoon group responsible for so many recent hacks is also involved with the Treasury incident, but it is clear that the government is having trouble getting its arms around a massive hacking campaign by an assortment of Chinese state-sponsored hackers. And while more information is needed about how the API key was lost, this sort of breach is often an unforced error.
The Chinese hackers appear to be burrowing into communications networks all over the world, but have shown a particular interest in spying on US government agencies and the assorted contractors that supply them. The depth of the Salt Typhoon campaign has sent the US government scrambling to update cybersecurity requirements for the telecoms industry, which to date have largely been voluntary. The FCC has attempted to help this process by telling the industry that the Communications Assistance for Law Enforcement Act legally compels them to defend their networks against state-sponsored hackers.
An API key loss should raise serious questions about an organization’s security. The direct cause in this case is still not known, but they are often found exposed in code or repositories or public-facing storage. The thinking is sometimes that they are not a huge matter of concern since they usually do not provide an attacker with direct access to sensitive information, but they can readily be used as a first step in privilege escalation. An attacker with an API key usually has a much easier time scanning the environment for further vulnerabilities.
Campaign against Chinese state-sponsored hackers continues
The Treasury Department is legally obligated to provide further details to officials by the end of the month. There may be more specific information about the “indicators” used to identify the state-sponsored hackers at that time. In the meantime, federal agencies along with telecoms and ISP are still struggling to map out and contain the massively damaging Salt Typhoon attack; the count of providers breached rose to nine in December as new information continues to come out.
It is known that BeyondTrust’s “Remote Support” product was found to have been breached via API key on December 2, and impacted customers should have started receiving notifications on December 5. While the Treasury Department workstations seemed to be the specific focus of the state-sponsored hackers, it is possible that other clients were breached during the incident.