Cyberwarfare / Nation-State Attacks
,
Finance & Banking
,
Fraud Management & Cybercrime
Microsoft Reportedly Alerted Office of the Comptroller of the Currency to Breach
Hackers spied on “highly sensitive” emails sent and received by America’s banking regulator for nearly two years before their intrusion was finally spotted and stopped.
See Also: Compliance Team Guide for Evasion Prevention & Sanction Exposure Detection
The Office of the Comptroller of the Currency, or OCC, on Tuesday first alerted Congress that it had suffered “a major information security incident,” as required by the Federal Information Security Modernization Act of 2014.
The independent Department of the Treasury bureau charters, regulates and supervises all national banks, federal savings associations, and federal branches and agencies of foreign banks.
“The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” the bureau said Tuesday.
While the investigation into the breach remains ongoing, including reviewing the content of all breached emails and attachments, investigators have already discovered that the exposed content met the threshold for classifying this as a major security incident.
“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” said Acting Comptroller of the Currency Rodney E. Hood, who assumed his post on Feb. 10 after being appointed by Secretary of the Treasury Scott Bessent. “There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
Hood added: “The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission.”
While the OCC hasn’t said publicly when its systems first got breached, a draft letter from the bureau to Congress, seen by Bloomberg, said hackers spied on about 150,000 emails from May 2023 until early February, when a Microsoft security team spotted suspicious activity.
The bureau said publicly that it was first alerted to suspicious activity involving “unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes” on Feb. 11, without naming the source.
On Feb. 12, OCC investigators confirmed that the activity traced to unauthorized access, and triggered the bureau’s incident response plan, including bringing in third-party investigators to determine the scope, as well as reporting the incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which helps secure federal agencies. The same day, the OCC said responders successfully “disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated.”
The OCC first provided public notice of the incident on Feb. 26, saying that its probe “analyzed all email logs since 2022 for due diligence” and subsequently “identified a limited number of affected email accounts that have since been disabled.”
The OCC said at that time that “there is no indication of any impact to the financial sector at this time,” although absence of evidence isn’t proof. The bureau traced the initial intrusion to a compromised email administrator account.
Hood ordered a full review of the bureau’s “IT security policies and procedures to improve its ability to prevent, detect and remediate potential security incidents,” and hopes to bring in independent experts to help refine its ability to respond to cybersecurity incidents, the OCC said.
While government officials have not yet attributed this breach to any nation-state or cybercrime hacking group, a number of recent, major attacks have been tied to Beijing-backed threat actors. That includes the alleged Chinese state actor tracked as Salt Typhoon, which has been accused of perpetrating a major infiltration of U.S. and other communications networks (see: Experts Warn Congress Another Salt Typhoon Attack Is Coming).
In January, U.S. officials disclosed a Department of the Treasury hack linked to Beijing that they described as being an escalation of “the most prolific and far-reaching attack spree on U.S. critical infrastructure,” which compromised the Office of Foreign Assets Control and other divisions tasked with sanctions enforcement (see: Chinese Hack Breached US Sanctions Office in Treasury Attack).
The Department of the Treasury has continued to sanction Chinese individuals and organizations, including government contractors, for allegedly having “directly or indirectly” enabled Beijing’s U.S. hacking endeavors. Beyond Salt Typhoon, those include attacks tied to a group tracked as Flax Typhoon, which law enforcement and intelligence agencies have accused of building a botnet composed of compromised consumer devices, for both cyberespionage and disruptive purposes.