A June 2023 security breach at the Treasury’s Office of the Comptroller of the Currency led to the theft of over 150,000 emails from about 100 accounts, but the damage is possibly more extensive as the hackers likely lurked in the bank regulator’s systems into early 2025.
The Office of the Comptroller of the Currency (OCC) has labeled the incident as a “major” security breach and has notified Congress about it. The suspicious activity was first spotted and addressed in mid-February of this year, and the response is still ongoing.
Executives and employees of top bank regulator breached
The security breach is believed to have originated with the compromise of an administrator account in 2023. The hackers then appear to have focused on quietly lurking in the system and monitoring select higher-level staff email accounts: senior deputy comptrollers, international banking supervisors and other executives among them.
CISA has said that there is no expected impact on the financial sector or private organizations from the security breach, but the damage done to the bank regulator is still under investigation. The OCC said that it has scanned all email accounts dating back to 2022 for suspicious activity and that a “limited amount” have been disabled.
The security breach was not discovered until February 11 of this year, and the compromised admin account was disabled on February 12. The attack on the bank regulator has not yet been attributed to any group, but the Treasury Department has been targeted by China’s state-sponsored hackers as of late and was compromised by one of these groups in late 2024 via a stolen API key. That breach, which was reported in January of this year, included a compromise of Treasury Secretary Janet Yellen’s computer that resulted in the theft of about 50 unclassified files.
Agency security breach may be part of heightened nation-state activity
The bank regulator supervises the national network of financial institutions, federal savings associations and agencies of foreign banks, but does not have direct access to the financial information of customers of these institutions or to their funds. Still, it is a high-profile target for a certain type of hacker: nation-state entities looking to spy. There has not yet been an attribution for this particular security breach, but this is the general purview of China’s “Silk Typhoon” team among other groups.
Mike Britton, CISO of Abnormal Security, highlights why a security breach of this sort is regarded as a serious national security issue: “This isn’t just a breach of data privacy – it’s also a potential national security concern. This is a major incident, not just because of the duration or the number of accounts compromised, but because of the sensitivity of the data involved. With access to confidential information on federally regulated banks, threat actors could manipulate markets and generally undermine trust in the banking system. They could use sensitive contact lists and internal communications to launch highly sophisticated phishing and business email compromise campaigns against banks or other agencies. And given the OCC oversees foreign bank branches, there’s the potential for adversarial nation-state actors to leverage this information for strategic advantage. And because the emails would be coming from legitimate inboxes, those phishing attempts would look especially convincing. As the second known data breach at the Treasury Department in just a few months, a repeated targeting pattern – especially on an organization like the U.S. Treasury – suggests attackers are looking for long-term strategic gain, whether it’s intelligence gathering disruption or to influence operations. It also highlights a broader issue: attackers are no longer focused on one-off data theft; they’re seeking persistent access and influence across critical infrastructure. For federal agencies, that means the bar for cybersecurity maturity has to be higher, especially when it comes to identity, access controls, and continuous monitoring.”
Scott Weinberg, CEO at Neovera, adds that the hackers might be considering follow-on attacks by using inside information the bank regulator has about defensive shortcomings at its charges: “With the knowledge of a banks weaknesses or lack of cybersecurity controls and processes, a bad actor could easily take advantage of this information and launch a broad series of attacks to not only disrupt services, but to perpetrate fraud. Think about it, if a hacker knows who the weakest targets are, and in addition they know that targets weakest areas, they will have a much easier time of wreaking havoc. They can essentially cherry pick the banks they want to go after. Even those banks with strong defenses and processes in place are vulnerable to attacks, because the sensitive data obtained may contain the names of systems the banks use, and it may also contain the processes the banks follow to mitigate risk and fraud. Given this, I would say that even a well-secured bank could be more vulnerable than they thought they were.”
OCC said that it is launching an immediate review of its IT security policies and procedures and will look for places to make improvements. Little technical information about the security breach has been made available as of yet, save for the detail of an initial administrator account compromise, but Acting Comptroller of the Currency Rodney E. Hood issued a statement indicting “long-held organizational and structural deficiencies” in the bank regulator’s system as a cause of the lengthy dwell time for the hackers.
Silk Typhoon has been implicated in more recent attacks on the Treasury, and China’s numerous hacking teams have been highly active in penetrating US critical infrastructure since tensions ratcheted up over Taiwan. But Russia’s state-backed teams also have a history of attacking the department, most notably when the SVR espionage unit broke in during the rash of SolarWinds attacks in late 2020.
The late 2024 security breach by Silk Typhoon involved the systems of the Committee on Foreign Investment in the United States (CFIUS). That office reviews foreign investments in the US, particularly real estate purchases, that might have an impact on national security. That campaign also involved a security breach at the Office of Foreign Assets Control (OFAC) that was likely aimed at gathering information on economic sanctions programs and international trade plans. Both of those attacks were a result of the breach of third party managed services provider BeyondTrust, with the attackers able to steal one of its Remote Support SaaS API keys.
Actions like these, with a seeming lack of interest in profit, are a very strong sign of nation-state espionage. That and targeting a high-profile government entity like the national bank regulator points to another caper by the Chinese hackers, though time will tell. Joshua Roback, Principal Security Solution Architect at Swimlane, speculates that it is quite possible that the bank regulator attack has a direct connection to the one that took place a few months ago: “While it’s difficult to know for sure if there is a tie between this breach and the Department of Treasury hack in December, there is a strong likelihood of correlation in some fashion. That doesn’t necessarily mean that hackers were able to move laterally from one network to another. However, early stages of the attack chain, like information gathering on OCC personnel, processes, and technology, may have been gathering during the Treasury breach in December. If the attack group has pure financial incentive, having sensitive information from the OCC can lead to a similar impact as insider trading. Private knowledge about financial institutions may facilitate front-running. In a nation-state scenario, this sensitive information can be used to improve negotiating positions between governments or government-supported businesses, resulting in the threat of intellectual property and even providing opportunities for financial fraud. Cyber attacks are not always noisy, smash-and-grab events like in the case of ransomware attacks. Threat actors (especially nation-state actors) generally will stay quiet on the network for extended monitoring and information gathering. It’s important to not only maintain preventative and detection controls, but also proactively hunt for threats and anomalies on the network. Continuous assessment exercises like red teaming and purple teaming, as well as adopting a modern AI-driven automation strategy, are no longer optional given the growing sophistication of attacks.”
Gabrielle Hempel, Security Operations Strategist and Threat Intelligence Researcher for the Exabeam TEN18 Team, agrees that there may well be a link between the two events and adds that this highlights the importance of the federal government’s ongoing zero trust architecture implementation project: “There could potentially be a link between the OCC breach and the Treasury breach. Even absent attribution, the timing and the target profile (regulatory bodies overseeing the U.S. economy) suggest at the very least, a similarity in actor intent and at most potential campaign coordination. Both breaches involved sensitive infrastructure and occurred through potentially compromised third-parties (email and cloud infrastructure). Access to 150,000+ emails containing sensitive information is potentially disastrous. Regulators’ communications are often intertwined with sensitive macroeconomic and risk posturing details. It could give attackers essentially a blueprint of sector-level risk in the U.S. Nation-state actors could use this information to destabilize markets, manipulate currency policy, or further target regulated institutions. Zero trust must be non-negotiable. Here, traditional perimeter defenses clearly failed. A year-long dwell time on high-value mailboxes is indefensible. Agencies need to invest in more advanced solutions that include continuous monitoring and automated alerting for anomalous access. Sensitive financial regulatory information should have access limited, and sensitive communications should be encrypted and housed in hardened systems-not just left in email. Finally, it’s important to remember that a breach at a financial regulator has downstream risk to other critical infrastructure sectors-especially if financial vulnerability data is used to influence energy markets, healthcare investment, or national defense budgeting.”
