Though news of it is only just appearing now, it seems that the US Treasury’s Office of the Comptroller of the Currency (OCC) has been hacked and had data exfiltrated from it for a long period of time. The security breach was discovered in February of this year, but dates back to a mid-2023 compromise of an administrator account. There has not been an attacker attribution as of yet, but the term of the breach and the interest in an agency that regulates national banks (rather than handling money) points to espionage.
During the roughly year-and-a-half that the security breach was active, about 100 email accounts were monitored by the attacker and it is estimated that they viewed about 150,000 messages in total. The real-world damage this might have created remains unclear, but the matter was serious enough for the bank regulator to declare it a “major” security breach and for Congress to be briefed on the potential threat.
Security breach took place during other treasury department attacks
OCC is the nation’s top bank regulator, charged with overseeing the country’s financial institutions and government savings associations. It also oversees foreign banks that have a business presence in the country. Given that information, and the fact that the hackers would have had no access to money or account information, the incident points to a nation-state APT group looking to gather information.
An emergency briefing for Congress was assembled because of the potential impact of the security breach to the nation. There are a number of different possibilities if a nation-state threat actor is involved, from leaking of information from bank investigations to manipulation of the financial markets. They might also be interested in follow-on attacks on individual banks if leads on vulnerabilities can be gleaned.
There is not much technical information available about the security breach as of yet, save that the root cause appears to be a mid-2023 compromise of an OCC administrator account. Acting Comptroller of the Currency Rodney E. Hood did issue a statement citing “long-held organizational and structural deficiencies,” pointing to more serious problems limiting the ability to detect the intruders as they dwelled into early 2025.
Bank regulator scanned email accounts dating back to 2022
The bank regulator has said that the security breach appears to disproportionately impact upper-level staff members, such as supervisors of international banking and the upper ranks of deputy comptrollers. As a precaution all email account activity at the agency dating back to 2022 was scanned, and reportedly a limited amount were disabled for security reasons.
The security breach was discovered on February 11 and disabled on February 12. The timing does point to Chinese hackers, who are thought to have been behind a concurrent breach of the US Treasury that took place in late 2024. That breach did not involve the bank regulator, however, and has been attributed to the Silk Typhoon hacking group.
Chinese hackers are a very likely possibility, but Russian hackers have also shown interest in Treasury Department operations before. Whatever the case, details will likely be thin given the sensitive nature of the information involved. The most interesting potential connection is if the OCC breach somehow enabled the late 2024 hackers to move laterally into other agencies.
