Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

📟 News

Date: 12/04/2025

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had access to sensitive financial watchdog data for more than a year.

The OCC serves to charter, regulate, and supervise all national banks and federal thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

According to the OCC, an administrative email account with access to user mailboxes and internal systems was compromised; as a result, unauthorized persons gained access to nonpublic data.

The breach was discovered on February 11, 2025; at that time, Microsoft notified the OCC of unusual activity in its mailboxes. However, the scope of the compromise was identified only recently.

The incident report states that unknown cybercriminals gained access to “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

The compromised administrative account was disabled on February 12, when the breach was confirmed; third-party cybersecurity experts were retained to assess the incident impact.

“Based on the content of the emails and attachments reviewed thus far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident. The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight process,” – the OCC.

According to Bloomberg News, a draft letter to Congress prepared by OCC Chief Information Officer Kristen Baldwin states that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. In the period from May 2023 to early 2025, the attackers had accessed roughly 150,000 emails.

OCC representatives haven’t commented on this information yet, nor did they specify who might be responsible for the breach.

Back in December 2024, unknown attackers had hacked the U.S. Department of the Treasury and compromised the SaaS platform used by it. At that time, it was reported that the intrusion affected the Office of Foreign Assets Control (OFAC), and the hackers deliberately attacked this department that administers and enforces economic and trade sanctions.

The U.S. authorities held some ‘Chinese government hackers’ liable for that attack.

Related posts:
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →