What banks can learn from the Treasury breach 

Many aspects of the cybersecurity breach the Treasury Department recently disclosed are alarming: the fact that hackers broke in through a tool meant to keep bad actors out, the fact that documents were stolen, the fact that investigators think the perpetrators worked for the Chinese government. 

To these add two more: the hackers lurked inside the Treasury’s computers undetected, in what’s called an advanced persistent threat. And U.S. banks are susceptible to this same kind of attack.

Here are some takeaways from the Treasury breach for banks.

Beware of advanced persistent threats

“Nation-state actors and advanced persistent threats are indeed a key threat vector for the financial sector,” said John Denning, chief information security officer at the Financial Services Information Sharing and Analysis Center. 

In advanced persistent threat attacks, hackers typically break into a system using some form of social engineering, then inject hitherto unknown strains of malware that lurk for months unnoticed, gathering information and preparing to take action such as stealing data and documents. 

“The advanced part relates to the technology, the persistence, to the resources, to the patience, to the dedication that the adversary uses against the target,” said Samuel Visner, adjunct professor at Georgetown University and chair of the Space Information Sharing and Analysis Center.

Each advanced persistent threat is unique, which makes this type of attack difficult to detect. “As fast as you can generate an inoculation to one of these vulnerabilities or malware intrusions or capabilities,” another one emerges or an existing one morphs into something unrecognizable, said Hector Falcon, lead analyst for the Space Information Sharing and Analysis Center.

The need to police third-party software vendors

The hackers that breached the Treasury Department got in through BeyondTrust’s cloud-based remote support service, which Treasury uses to give technical support people remote access to end users’ workstations. The attackers accessed a key BeyondTrust uses to secure the service.

“With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury user workstations, and access certain unclassified documents maintained by those users,” wrote Aditi Hardikar, assistant secretary for management at the Department of the Treasury, in a letter to Sen. Sherrod Brown, D-Ohio, and Tim Scott, R-South Carolina. 

The government has not said which documents were accessed, or what was in those documents.

“The lesson learned here, sadly, is that the adversary is smart and decided to go after the security solution, and once they were able to compromise the security solution, then they went after their intended target,” Visner said. 

BeyondTrust said it identified and disclosed security vulnerabilities to clients including the Treasury Department on Dec. 8 and it has found and patched the vulnerabilities. It’s posting updates on the situation on a dedicated web page.

Another lesson for banks is that they need to seriously worry about their supply chain and vendors, Visner said. 

Banks have been breached through software providers in the past. In March 2020, Finastra was hit with a ransomware attack that caused outages at some of the core banking software provider’s bank clients. In November 2023, the LockBit ransomware gang hacked into Infosys McCamish Systems, a third-party vendor that provided services for Bank of America’s deferred compensation plans, and exposed the personal information of more than 57,000 Bank of America clients. 

“You assume you have good security because you have a security operations center and you have a firewall and you have intrusion-detection systems and intrusion-protection systems and you have a security information event management system and you’re doing log correlation — you’re doing all these things,” Visner said. “But you’re also buying services and products from others. So one of the questions that you should be asking is, what do I know about the security of my providers?”

Cloud providers offer clients like banks a menu of products and services, Falcon said.

“But in doing so, are you absorbing their security-threat landscape? And the answer is yes, you are,” Falcon said. “You’re absorbing how secure they may or may not be with regards to ports, protocols, technologies, information strategies. Are they an overseas-based company that’s leveraging third-party software that maybe hasn’t been vetted in order to go ahead and meet the bottom line?”

Most keys to application programming interfaces, the mechanisms through which data is shared between banks and third party suppliers, are not encrypted, Falcon said. “The bulk of API keys are not stored in a secure vault or mechanism in order to reinforce security,” he said.

Denning said though banks are highly regulated and therefore are forced to have robust security, third-party service providers often do not have the same requirements. 

“However, banks must understand that their supply-chain risks are effectively their own risks, as has been demonstrated with the many third-party incidents over the last several years,” he said. “Firms can no longer rely on the standard security questionnaires of yesteryear and must take an active approach in order to mitigate third-, fourth- and nth-party risks as much as possible.”

Some banks need to be mindful of their own cyber hygiene, ensuring strong identity and access management and implementing multifactor authentication across the enterprise, Denning said.

They should also require that their suppliers implement the same cyber fundamentals, he said.

“Larger financial institutions should take the lead in building robust security requirements into contracts where possible, bolstering the resilience of the sector and in turn benefiting smaller firms that lack the ability to adjust contracts,” Denning said.

In a twist of irony, this is a point that has been hammered at banks by the Treasury Department itself. In a 2023 report, the Treasury shared several concerns about banks’ use of cloud computing, including a lack of transparency among cloud service providers, which hampers banks’ ability to monitor their vendors; a shortage of cloud-computing expertise at community banks; and the concentration risk caused by having a small number of providers serving a large number of financial institutions.

Periodic conversations with all software and service providers about security are critical. “It’s important to ask your providers what they are doing, and maybe ask for some attestation about what they’re doing,” Visner said. “That isn’t going to make it foolproof. But I think overall, sensitizing all your providers to your security concerns, and hardening as much of the supply chain as possible, is useful.”

Need for information sharing

One thing banks can do that would help on all cyber fronts is improve information sharing with others, even about security incidents that don’t appear too serious but that could be precursors to fiercer attacks. 

“It’s a weapons test,” Visner said. “You don’t use the weapon until you’ve tested it in a variety of places. Eventually, you might even test it on a live target.” 

This includes cross-sector information sharing, Visner said. “Maybe you’re in the financial services sector, but you want to share information with the IT sector, or the telecom sector, or any other sector that you’re dependent on. One of the things we’ve noted is that almost every critical infrastructure sector is dependent on all of the others.”

Adversaries such as the Chinese hackers said to be behind the Treasury incident are clever, Visner said. 

“If you look at the forensics of this attack, it’s pretty darn sophisticated,” Visner said. “These people are not stupid. If you were to take off your moral hat for a moment, there’s a lot you’d admire in what they did. I would prefer not to in this instance. But they weren’t lazy, they’re not stupid. They knew what they intended to do.”