US Treasury Hacked

Thanks to a Supply Chain Attack

Author

Jason Rebholz
January 05, 2025

When I started writing this newsletter, I didn’t intend to find a corporal punishment theme. But like the creation of the Jersey Shore, sometimes we create things we later regret but have to live with. So, here we are.

Today, we’re covering:

  • The US Treasury gives a Russian entity a financial spanking.

  • China gives the US Treasury a cyber spanking.

  • A 20-year-old U.S. Army soldier gets more than a wrist slap for selling stolen AT&T and Verizon customer data.

-Jason

p.s. this might be the best January challenge I’ve seen yet.

AI Spotlight
US Treasury Gives Russian Entity a Financial Spanking

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) plays a unique role in administering and enforcing economic and trade sanctions when bad people do bad things that threaten the safety and security of the United States. Those people or companies end up on OFAC’s shit list sanctions list, which restricts US companies and people from any financial transactions with those on the sanctions list.

The practice of sanctions dates back before the War of 1812 when Great Britain (sorry, friends) was sanctioned for harassing American soldiers. Now, we see it often with things like terrorists, international narcotics traffickers, arms dealers, and cybercriminals.

OFAC ended 2024 with fresh sanctions on individuals associated with entities tied to the Iranian Islamic Revolutionary Guard Corps and Russian Main Intelligence Directorate. One of those entities, the Moscow-based Center for Geopolitical Expertise (CGE), played a pivotal role in the “creation and publication of deepfakes” used in efforts to influence the US 2024 general election.

The press release states:

At the direction of, and with financial support from, the GRU, CGE and its personnel used generative AI tools to quickly create disinformation that would be distributed across a massive network of websites designed to imitate legitimate news outlets to create false corroboration between the stories, as well as to obfuscate their Russian origin. CGE built a server that hosts the generative AI tools and associated AI-created content, in order to avoid foreign web-hosting services that would block their activity. The GRU provided CGE and a network of U.S.-based facilitators with financial support to: build and maintain its AI-support server; maintain a network of at least 100 websites used in its disinformation operations; and contribute to the rent cost of the apartment where the server is housed. Korovin played a key role in coordinating financial support from the GRU to his employees and U.S.-based facilitators.

In addition to using generative AI to construct and disseminate disinformation targeting the U.S. electorate in the lead up to the U.S. 2024 general election, CGE also manipulated a video it used to produce baseless accusations concerning a 2024 vice presidential candidate in an effort to sow discord amongst the U.S. electorate.

While we know that Russia has been doing this for a while, it’s still interesting to see sanctions come in that explicitly call out the malicious usage of AI in attempts to influence foreign elections. It should come as no surprise when your average cybercriminals adopt similar techniques in socially engineering victims to financial fraud.

Security Deep Dive
China Gives Cyber Slap to US Treasury

On December 2, 2024, BeyondTrust identified suspicious activity related to one of its customers' Remote Support solution instances. Unsurprisingly, this software allows IT teams to manage systems remotely. The suspicious activity originated from a compromised Remote Support API key, presumably allowing threat actors to interact with the software. BeyondTrust stated there were “a limited number of impacted instances of Remote Support SaaS.” 

Interestingly, during its investigation, BeyondTrust found two vulnerabilities in its Remote Support software. One vulnerability allowed an unauthenticated user (aka anyone) to inject commands into the software, which is not good. Less severe, the second vulnerability allowed an existing user with admin privileges to inject commands and run them as another user.

On December 8, 2024, BeyondTrust notified one of its customers, the U.S. Treasury, of the stolen API key, which the attackers used to access U.S. Treasury systems. We know now that those threat actors were Chinese nation-state hackers. In a letter to lawmakers dated December 30, 2024, the Treasury Department stated:

With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.

This follows previous reports of Chinese nation-state hackers who infiltrated US telecom companies for espionage purposes.

Security & AI News
What Else is Happening?

🏆️ Bleeping Computer released their top news stories of 2024. I’m not sure the order is spot on, but it does encompass the biggest security jaw-droppers from last year.

🎄 Last week, I wrote about the Cyberhaven supply chain attack, which resulted in a malicious Chrome extension published to the Chrome Store. A new Cyberhaven update shows that it all started with a phishing email, and the malicious update targeted stealing Facebook credentials. Now, we know this widespread campaign impacted 33 Chrome extensions. Check to make sure you’re not using one!

🤦 A zero-day popped up last week, impacting the popular 7-zip archiving utility—only one problem. It wasn’t real. No one could get the exploit to work, and the developer behind 7-zip called it a flat-out lie.

🎖️ Authorities arrested a 20-year-old U.S. Amry solider for his role in selling and leaking AT&T and Verizon customer call records last year that another hacker had obtained during the Snowflake account hacks.

⚕️ The Office for Civil Rights (OCR) proposed updated cybersecurity requirements as part of a refresh to HIPPA rules. It includes things like mandating MFA (yay!) and more written security plans and documentation that people will make but not look at or follow (boo!). It’s a hefty list that will be difficult for smaller firms to manage (like requiring a pentest every year). We’ll see how much of it sticks past the comment period ending in early March.

🩻 A study on AI-based ultrasound evaluations found that AI models outperformed expert examiners at identifying ovarian tumors in ultrasound images. AI models had an accuracy rating of 86.3%, while experts had an 82.6% accuracy rating. While that may sound small, tell that to the person in that 4% gap who went undiagnosed. These AI-based first passes are a great way to improve healthcare. While humans still play a very important role, the AI assistance here seems like an easy win for healthcare.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.