Reverse engineering the Dept. of Treasury breach (and how to avoid it happening to you)
Gal Diskin
Threat intelligence teams are busy studying the December 2024 Department of Treasury breach, looking for patterns and detailing indicators of compromise to help other organizations prevent and detect similar attacks. This type of post-mortem is healthy and necessary for our industry to share lessons learned so we can all see the next one coming. As non-human identities like API keys exponentially increase, the incident is a cautionary tale for us all.
Here’s what we know:
The United States Department of Treasury used a third-party SaaS service to provide technical support to remote workers in their Department Offices. Providing remote access to sensitive data and resources is a growing need for organizations with distributed employees and hybrid work environments.
Yet, remote access can be a vulnerable part of your attack surface. Most remote access solutions require you to open network ports to inbound traffic. They also offer limited auditing with only basic event logs, increasing the chance you’ll miss malicious activities.
To secure remote access Gartner recommends Remote Privileged Access Management (RPAM), which allows granular access to authorized privileged accounts by using PAM gateways that broker access. The most secure remote access systems only allow for one-way traffic—from your PAM vault out.
In this case, the third-party remote access system was connected to Treasury’s internal IT systems via an API key—a non-human identity—which allowed for password resets of local application accounts on user workstations.
All was working well, until the API key was compromised by Chinese hackers.
An Advanced Persistent Threat (APT) leveraged a vulnerability in the remote access software. Analysts believe this is one of a string of state-sponsored attacks that follow a pattern of exploiting vulnerable third-party relationships, including fragile or insecure API integrations.
Early in December, the software vendor discovered the issue and addressed it transparently on their website. They revoked the API key so it could no longer be used and let relevant customers know.
However, by that time, it seems attackers were already inside the Treasury Department. Once attackers had access to the API key, they used it to unlock several systems, including user workstations, which had unclassified information stored locally.
What does the Treasury breach mean for your organization and your identity security strategy?
Mitigate high-risk non-human identities like APIs
APIs are essential components of an integrated IT ecosystem and provide access to critical systems and data. However, insecure APIs and exposure of API secret keys, which authenticate and authorize requests to an API, can jeopardize your security.
You should manage API keys as sensitive secrets and apply best practices such as securing them in an encrypted vault and regularly rotating them.
- Never expose API keys in plain text or store them in code, especially if your code is shared on platforms like GitHub.
- Always maintain separate API keys for each service and limit their use to necessary scopes and domains.
- Automatically rotate secrets such as API keys. That way, if an attacker gets their hands on an older key it will be out of date.
Check out more API security best practices >
Stay vigilant with continuous detection and response
Attackers often sit on stolen credentials for some time before using them, sometimes selling them on the Dark Web or via access brokers. Once inside your IT environment, they may dwell for days or weeks before acting.
Holiday times, when companies run with skeleton staff, can be good opportunities for attackers to fly under the radar. Plus, with many more people traveling, remote access systems have become an attractive target. Automating security best practices can help share the burden.
Continuous discovery and context-aware detection are key. Treasury might have discovered this breach earlier by detecting indicators of compromise such as a lot of password resets or unusual login or download activity at the workstation level.
In addition, they could have added identity verification (MFA) steps so that even if local password resets were fraudulently attempted, an unauthorized user wouldn’t have been able to proceed without additional layers of assurance.
Cyber resilience and multi-layered defense are essential
Make sure you follow coding best practices and quality checks. Still, bugs and flaws happen with all types of software vendors. So, keep patching. Keep track of known issues in any third-party software you use, especially if you have an API connecting directly to your internal systems.
To provide the “all clear,” the software vendor hired a third-party forensics firm, a best practice in cases like this. It’s good practice to be prepared; make sure you know who you would hire if needed. To conduct post-even forensics, make sure you have easy-to-access and easy-to-analyze audit trails of privileged behavior—both for human users and non-human identities—to support investigations and root cause analysis.