Full Report
The OCC said the February incident resulted in the theft of “highly sensitive information" tied to the financial conditions of federally regulated institutions. The post Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident appeared first on CyberScoop.
Analysis Summary
# Incident Report: OCC Email System Data Theft
## Executive Summary
The Office of the Comptroller of the Currency (OCC) experienced a "major" cybersecurity incident resulting from an unauthorized compromise of an administrative email account. This breach led to the exfiltration of highly sensitive information pertaining to the financial condition of federally regulated institutions, with data spanning back to May 2023. In response, the OCC disabled affected accounts promptly upon discovery and initiated internal and independent investigations, acknowledging long-held organizational deficiencies contributed to the unauthorized access.
## Incident Details
- Discovery Date: February 11
- Incident Date: Unauthorized access began as early as May 2023 (based on data exfiltration timeframe)
- Affected Organization: Office of the Comptroller of the Currency (OCC)
- Sector: Financial Regulation/Government
- Geography: Not specified (US Federal Agency)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, but activity potentially began as early as May 2023.
- **Vector:** Compromise of an administrative account within the OCC email system.
- **Details:** Attackers interacted with agency mailboxes in an unusual fashion, triggering a notification on February 11.
### Lateral Movement
- **Date/Time:** Confirmed unauthorized access existed leading up to February 11.
- **Details:** The attacker utilized the compromised administrative account to access and potentially move data across "a limited number of affected email accounts" associated with 103 bank regulators.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing from May 2023 to February 2025.
- **Details:** Theft of "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes." Over 150,000 emails were exposed. The motivation is suspected to be espionage or financial gain, as the data provides a "blueprint of sector-level risk."
### Detection & Response
- **Date/Time:** Detection on February 11; Unauthorized access confirmed and accounts disabled on February 12. Public disclosure on February 26. Notification to Congress occurred later (April 2025).
- **Details:** IT staff confirmed unauthorized access on February 12 and immediately disabled the compromised accounts. The OCC launched internal and independent investigations and is cooperating with CISA and the Department of the Treasury.
## Attack Methodology
- **Initial Access:** Compromise of an administrative email account.
- **Persistence:** Not explicitly detailed, but the long duration (May 2023 to February 2025) suggests the adversary maintained access, possibly through stolen credentials linked to the administrative role.
- **Privilege Escalation:** Implicitly achieved by exploiting/gaining control over a high-privilege administrative account, allowing broad access to agency mailboxes.
- **Defense Evasion:** Not detailed, but the sustained, long-term access indicates the activity was likely stealthy or bypassed existing security controls until unusual mailbox interaction was flagged.
- **Credential Access:** Unknown specifics, but compromise likely involved obtaining privileged credentials for the administrative account.
- **Discovery:** Access to 103 bank regulators' emails suggests the attacker was actively reviewing communications related to supervisory oversight and financial risk postures.
- **Lateral Movement:** Movement between agency mailboxes utilizing the compromised administrative credentials.
- **Collection:** Gathering of approximately 150,000 emails dating back to May 2023.
- **Exfiltration:** Theft of the collected sensitive financial information.
- **Impact:** Theft of highly sensitive regulatory data pertaining to US financial institutions.
## Impact Assessment
- **Financial:** Not specified, but the incident was classified as "major."
- **Data Breach:** Theft of over 150,000 emails from 103 bank regulators, containing "highly sensitive information relating to the financial condition of federally regulated financial institutions."
- **Operational:** The OCC acknowledged "long-held organizational and structural deficiencies" that contributed to the breach, suggesting internal process failures. Regulator oversight processes were potentially compromised.
- **Reputational:** Notification to Congress and public disclosure classify this as a significant security failure for a Treasury bureau.
## Indicators of Compromise
- **Network indicators:** None specified (must be defanged).
- **File indicators:** None specified.
- **Behavioral indicators:** Unusual interaction by an administrative account with agency mailboxes.
## Response Actions
- **Containment measures:** Disabled the compromised administrative email accounts immediately upon confirmation of unauthorized access on February 12.
- **Eradication steps:** Ongoing internal and independent investigations to determine the full extent of the breach.
- **Recovery actions:** Remedying "long-held organizational and structural deficiencies," according to the Acting Comptroller.
## Lessons Learned
- The organization was vulnerable due to "long-held organizational and structural deficiencies."
- The compromise of an administrative account provided an extensive window (nearly a year) for data exfiltration.
- Incident disclosure required external pressure (notification to Congress) to yield significant details beyond the initial vague statement.
## Recommendations
- Immediate remediation of identified "organizational and structural deficiencies."
- Review and strengthen controls around the use and monitoring of administrative email accounts, focusing on anomaly detection for long-term, low-and-slow exfiltration.
- Enhance security monitoring capabilities to detect unusual activity within accounts spanning months or years.