Full Report
Unknown attackers who breached the Treasury's Office of the Comptroller of the Currency (OCC) in June 2023 gained access to over 150,000 emails. [...]
Analysis Summary
# Incident Report: Treasury OCC Email System Compromise (June 2023 - Present)
## Executive Summary
Threat actors gained unauthorized access to the Office of the Comptroller of the Currency (OCC) email system, potentially starting as early as June 2023. While the OCC initially reported a limited number of affected accounts, subsequent investigation indicated access to approximately 100 bank regulators' emails. The incident was resolved by isolating and disabling the affected administrative accounts and reviewing email logs dating back to 2022.
## Incident Details
- **Discovery Date:** Early January 2025 (Implied, based on public disclosure timelines related to related Treasury breaches)
- **Incident Date:** Attack activity initiated around June 2023.
- **Affected Organization:** U.S. Office of the Comptroller of the Currency (OCC)
- **Sector:** Financial Regulation / Government
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Since at least June 2023 (Date attackers lurked in the systems)
- **Vector:** Compromise of an administrative account within the OCC email system. (Specific initial vector for the OCC breach is not detailed, but contextually linked to broader Treasury breaches involving a stolen SaaS API key.)
- **Details:** Attackers maintained persistence within the environment for an extended period.
### Lateral Movement
- *Details are limited in the source material, but the scope suggests they accessed data related to ~100 bank regulators.*
### Data Exfiltration/Impact
- **Data Stolen/Damaged:** A "limited number" of email accounts were affected, later revealed to involve approximately 100 bank regulators' emails. The content of the compromised emails is not specified.
### Detection & Response
- **Detection:** The OCC identified and isolated the issue "this month" (relative to the report date, implied January 2025).
- **Response Actions:** The OCC identified, isolated, and resolved the incident by disabling the affected email accounts and analyzing all email logs since 2022 for due diligence.
## Attack Methodology
*Note: Specific MITRE ATT&CK techniques utilized by the actors in this specific OCC email breach were not detailed in the provided text. The following is inferred based on related Treasury incidents or the general nature of persistence described.*
- **Initial Access:** Compromise of an administrative account.
- **Persistence:** Unknown, but attackers lurked in the systems since June 2023.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified (potentially via the compromised administrative account).
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified, but access spanned multiple regulator emails.
- **Collection:** Access and review of email content.
- **Exfiltration:** Not explicitly mentioned, but implied by the breach.
- **Impact:** Unauthorized access to sensitive communications involving bank regulators.
## Impact Assessment
- **Financial:** Not quantified, but involved a major U.S. banking regulator.
- **Data Breach:** Sensitive communications belonging to approximately 100 bank regulators.
- **Operational:** Incident response required investigation spanning months of logs and account remediation.
- **Reputational:** Negative reporting regarding the duration of attacker presence (June 2023 until resolution).
## Indicators of Compromise
- *No specific network, file, or behavioral IOCs (defanged or otherwise) were provided in the source text concerning the OCC breach.*
## Response Actions
- **Containment:** Identifying, isolating, and disabling the compromised administrative email accounts.
- **Eradication:** Not explicitly detailed, but subsequent investigation and stabilization of the email system.
- **Recovery:** Reviewing all email logs dating back to 2022 for comprehensive due diligence.
## Lessons Learned
- **Key Takeaways:** Threat actors demonstrated the ability to maintain long-term persistence (nearly 7 months) within the OCC’s environment via an administrative account compromise.
- **What could have been done better:** The extended dwell time suggests a potential gap in monitoring or alerting for anomalous activity associated with administrative credentials or the email system itself.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Implement rigorous monitoring and alerting specifically focused on administrative email account activity.
2. Enforce Multi-Factor Authentication (MFA) on all administrative and privileged access credentials, especially those for core services like email.
3. Conduct regular, comprehensive audits of access logs and service account usage, looking back further than typical incident scope (i.e., implementing 2022 log retention/review as standard practice).