Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

📟 News

Date: 12/04/2025

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had access to sensitive financial watchdog data for more than a year.

The OCC serves to charter, regulate, and supervise all national banks and federal thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

According to the OCC, an administrative email account with access to user mailboxes and internal systems was compromised; as a result, unauthorized persons gained access to nonpublic data.

The breach was discovered on February 11, 2025; at that time, Microsoft notified the OCC of unusual activity in its mailboxes. However, the scope of the compromise was identified only recently.

The incident report states that unknown cybercriminals gained access to “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

The compromised administrative account was disabled on February 12, when the breach was confirmed; third-party cybersecurity experts were retained to assess the incident impact.

“Based on the content of the emails and attachments reviewed thus far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident. The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight process,” – the OCC.

According to Bloomberg News, a draft letter to Congress prepared by OCC Chief Information Officer Kristen Baldwin states that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. In the period from May 2023 to early 2025, the attackers had accessed roughly 150,000 emails.

OCC representatives haven’t commented on this information yet, nor did they specify who might be responsible for the breach.

Back in December 2024, unknown attackers had hacked the U.S. Department of the Treasury and compromised the SaaS platform used by it. At that time, it was reported that the intrusion affected the Office of Foreign Assets Control (OFAC), and the hackers deliberately attacked this department that administers and enforces economic and trade sanctions.

The U.S. authorities held some ‘Chinese government hackers’ liable for that attack.

Related posts:
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →