The U.S. Treasury advised lawmakers today that it had determined that hackers had remotely accessed Treasury Department workstations and unclassified documents following the compromise of a third-party software service provider.

The details of the hack were in a letter shared by Reuters, which advised that on Dec. 8, the Treasury Department was notified by a third-party software provider, BeyondTrust Corp., that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remote provide technical support for Treasury Department Officer end users.

Having gained access to the stolen key, the threat actor subsequently overrode the service’s security to remotely access Treasury workstations and access certain unclassified documents.

Upon being made aware of the breach, the Treasury Department informed and started working with the Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation, the intelligence community and third-party investigators to determine the cause of the breach and its overall impact.

The subsequent investigation then alleged that a Chinese state-sponsored advanced persistent threat actor was behind the breach.

The service initially breached at BeyondTrust has since been taken offline and the Treasury Department has since confirmed that the threat actor no longer has access to Treasury information.

BeyondTrust is an identity and access security firm that provides the Treasury Department with Secure Remote Access solutions, including remote support and privileged remote access. Notably, BeyondTrust is also FedRAMP authorized, meaning that it meets federal security standards for cloud services. Seemingly, in this case, it fell short of those standards.

While the exact details of the initial breach at BeyondTrust have not been disclosed, Lawrence Pingree, vice president of cybersecurity company Dispersive Holdings Inc., told SiliconANGLE via email that “it’s hard to tell whether it was a breach of an application’s ‘secret’ or some form of cryptographic key.”

“Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches,” Pingree explains. “It’s important that systems that developers and administrators use are properly isolated by zero trust technology controls, along with robust key and secrets management processes are tested and followed.”

Image: SiliconANGLE/Ideogram