Chinese hackers breach US Treasury in sophisticated cyber attack

Chinese state-sponsored hackers infiltrated the US Treasury Department earlier this month, accessing several employee workstations and unclassified documents. The breach exploited a vulnerability in BeyondTrust, a third-party cybersecurity provider, which allowed attackers to override parts of the system.

The Treasury Department confirmed the compromised service has been taken offline, and there is no evidence of continued access. However, this attack coincides with a separate breach, dubbed "Salt Typhoon," targeting three major US telecommunications companies, where hackers accessed lawmakers’ calls and messages.

After the BeyondTrust alert, the Treasury engaged the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and forensic experts to assess the impact. A full report is expected within 30 days.

BeyondTrust acknowledged the compromise of a digital key affecting a limited number of customers, while China’s embassy in Washington denied involvement, accusing the US of baseless accusations.

The Treasury reiterated its commitment to safeguarding financial systems.

Pro-Russian hackers target French city websites in retaliation for Ukraine support

The websites of several French cities, including Marseille and Tarbes, were taken offline on Tuesday following cyberattacks by the pro-Russian hacker group NoName. The collective claimed responsibility for the attacks on social platform X, calling them retaliation for France's support of Ukraine.

At 1600 GMT, the affected sites also included the Haute-Garonne department, though other targeted locations, such as Nantes, Bordeaux, and Nice, remained operational. Marseille's town hall confirmed the attacks, stating that protective measures were activated, causing the sites to become temporarily inaccessible.

NoName, known for its use of Distributed Denial of Service (DDoS) attacks, saturated servers with overwhelming traffic to disable access. These attacks do not typically involve data theft but aim to spread propaganda and create an impression of digital insecurity, according to ESET cybersecurity expert Benoit Grunemwald.

French officials have downplayed the impact, with some cities reporting no disruptions.

Cyberattack disrupts Thomas Cook India's IT systems

Thomas Cook India's IT infrastructure faced a cyberattack, forcing the company to shut down affected systems, as revealed in an exchange filing on Tuesday. The company immediately initiated investigations and is collaborating with leading cybersecurity experts to assess the extent of the breach and implement remedial measures.

The filing stated: “We have taken necessary steps to investigate and respond to the incident, including shutting down affected systems.”

Under Schedule III of Sebi (Listing Obligations and Disclosure Requirements) Regulations, 2015, listed companies must disclose significant cyberattacks impacting operations, finances, or reputation within 24 hours. Thomas Cook India's disclosure reflects compliance with these regulations to ensure transparency and protect investor trust.

The company continues to focus on containment efforts while securing its IT systems and engaging stakeholders. Cybersecurity experts emphasise the importance of swift action to minimise operational and reputational risks in such incidents.

Cisco confirms leaked data from DevHub breach; no system compromise

Cisco has confirmed the authenticity of data leaked by the hacker "IntelBroker," originating from a previously disclosed security incident involving its public-facing DevHub. The DevHub served as a resource centre for customers, offering source code, scripts, and other materials.

IntelBroker announced on October 14 that he and others accessed Cisco systems, stealing source code, certificates, credentials, and other sensitive information. However, Cisco’s investigation revealed no breach of its systems; the data was extracted from the DevHub environment. While much of the data was already public, Cisco acknowledged that some files were not meant to be accessible.

The hacker initially claimed to have stolen 4.5TB of data but has so far leaked approximately 7GB, including source code, scripts, and configuration files. Cisco maintains that the leaks align with the October dataset and do not provide access to its production or enterprise environments. The company continues to monitor the situation.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.