Full Report
The U.S. Office of the Comptroller of the Currency told Congress that a breach of its email systems reported in February involved "highly sensitive information" in the accounts of high-ranking officials.
Analysis Summary
# Incident Report: OCC Executive Email System Compromise
## Executive Summary
Hackers gained unauthorized access to the email systems of the U.S. Office of the Comptroller of the Currency (OCC), compromising the accounts of approximately 100 executives and employees and exposing over 150,000 emails dating back to June 2023. The compromise involved highly sensitive information related to the financial condition of federally regulated institutions, leading the OCC to classify it as a "major information security incident" due to potential harm to public confidence. Response actions included immediate isolation of systems, disabling compromised administrative accounts, and ongoing investigation, with internal reviews initiated to address underlying organizational deficiencies.
## Incident Details
- **Discovery Date:** February 11 (Year not specified, implied 2024/2025 based on notification timeline)
- **Incident Date:** Began as early as June 2023
- **Affected Organization:** U.S. Office of the Comptroller of the Currency (OCC), an independent bureau within the Treasury Department.
- **Sector:** Financial Regulation/Federal Government
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** As early as June 2023 (when exfiltrated emails begin).
- **Vector:** Unauthorized access via a system administrative account in the office automation environment.
- **Details:** Hackers maintained access for an extended period, utilizing compromised credentials to access user mailboxes.
### Lateral Movement
- **Details:** Attackers moved from the administrative account to access the mailboxes of approximately 100 senior officials and over 150,000 emails. The mechanisms for internal network traversal beyond the mail system are not detailed, but the scope suggests broad email accessibility.
### Data Exfiltration/Impact
- **Details:** "Highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes" was accessed. The incident was classified as "major" and is anticipated to "result in demonstrable harm to public confidence."
### Detection & Response
- **Date/Time:** February 11 (Detection); February 12 (Isolation/Termination).
- **Detection:** The OCC discovered the issue upon seeing "unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes."
- **Response Actions:** Cybersecurity experts were hired, CISA was notified, impacted systems were isolated on February 12, and the compromised administrative accounts were disabled, terminating unauthorized access. A public statement followed on February 26.
## Attack Methodology
- **Initial Access:** Compromise of a system administrative account.
- **Persistence:** Maintained access via the compromised administrative account over an extended period (June 2023 – February 2024).
- **Privilege Escalation:** Not explicitly detailed, but the use of an *administrative account* suggests a high level of initial compromise or successful privilege escalation prior to the discovery timeframe.
- **Defense Evasion:** Maintained sustained unauthorized access without early detection over several months.
- **Credential Access:** Likely involved compromise or misuse of highly privileged credentials linked to the administrative account.
- **Discovery:** Not detailed, implied internal monitoring detected unusual mailbox activity.
- **Lateral Movement:** Gained access across numerous user mailboxes (approx. 100 officials).
- **Collection:** Gathering of email content and attachments.
- **Exfiltration:** Exfiltration of over 150,000 emails containing sensitive regulatory information.
- **Impact:** Exposure of sensitive banking regulatory data, significant risk to public confidence.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Highly sensitive data concerning the financial condition of federally regulated institutions; emails and attachments dating back to June 2023. Scope: ~100 executive/employee mailboxes, >150,000 emails.
- **Operational:** Disruption requiring immediate system isolation and expert engagement, but no immediate indication that the wider financial sector was impacted.
- **Reputational:** High; classified as a "major incident" likely to cause demonstrable harm to public confidence.
## Indicators of Compromise
- **Network indicators:** *(Not publicly disclosed/Defanged)*
- **File indicators:** *(Not publicly disclosed)*
- **Behavioral indicators:** Unusual interactions originating from a system administrative account against OCC user mailboxes.
## Response Actions
- **Containment:** Compromised administrative accounts were disabled; unauthorized access was terminated; affected systems were isolated on February 12.
- **Eradication:** Disabled compromised accounts and initiated forensic analysis.
- **Recovery:** Ongoing examination of accessed emails and attachments; internal reviews launched to address security deficiencies.
## Lessons Learned
- Prolonged unauthorized access (over 8 months) via a single high-privilege account indicates potential failures in privileged access management and monitoring.
- The incident was severe enough to be classified as "major," highlighting the risk posed by sensitive internal regulatory data being accessible via standard email systems.
- Remediation will require addressing "long-held organizational and structural deficiencies" that contributed to the vulnerability.
## Recommendations
- Immediately conduct a comprehensive audit and overhaul of Privileged Access Management (PAM) controls, focusing specifically on system administrative accounts.
- Enhance continuous monitoring of administrative account activity and mailbox access patterns for anomalous behavior in near real-time, rather than relying on retrospective detection.
- Review data classification policies to ensure highly sensitive regulatory data is not readily accessible via standard, potentially compromised, email infrastructure.
- Implement multi-factor authentication (MFA) across all administrative and executive accounts.