Cyber Incident Victim: Department of the Treasury
Date:
Sep 2022
Location:
United States of America
Summary
The U.S. Treasury repelled a distributed denial of service attack attributed to pro-Russian hacker group Killnet, preventing operational disruption. Characterized as low-level activity targeting critical infrastructure nodes, the incident validated enhanced cybersecurity coordination measures, including rapid sharing of attacker IP addresses with financial sector partners. This response demonstrated improved threat intelligence dissemination under strengthened departmental procedures established by current leadership. The attack occurred shortly before similar attempts against U.S. financial services firms and highlighted shared adversarial risks facing government and private financial entities, particularly following Russia's invasion of Ukraine. Treasury officials emphasized the importance of continued public-private collaboration to address evolving systemic threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2022, the U.S. Department of the Treasury repelled distributed denial-of-service (DDoS) attacks attributed to the pro-Russian hacker group Killnet, according to Todd Conklin, cybersecurity counselor to Deputy Treasury Secretary Wally Adeyemo. The attacks occurred several days prior to similar Killnet attacks targeting U.S. financial services firms, though the Treasury incident had not been previously disclosed publicly. Conklin characterized the activity as "pretty low-level DDoS activity targeting Treasury's critical infrastructure nodes," which the department successfully mitigated without operational disruption. Killnet had publicly claimed responsibility for disrupting U.S. state government and airport websites earlier in October 2022 and asserted an October 11 attack against JPMorgan Chase & Co., though the bank reported no operational impacts. Treasury officials confirmed the attacks aligned with their threat intelligence regarding Killnet’s activities.
Under revised cybersecurity procedures implemented following the Biden administration’s appointment of Treasury Secretary Janet Yellen and Deputy Secretary Adeyemo, the department rapidly shared attacker internet protocol (IP) addresses with financial sector partners. This real-time information exchange formed part of Treasury’s enhanced operational posture, which included establishing Conklin’s department-wide cybersecurity coordination role—a position created by Adeyemo to centralize threat response. Deputy Secretary Adeyemo described the incident as a "stark reminder" of shared threats facing Treasury and financial institutions, particularly following Russia’s February 2022 invasion of Ukraine. At a joint conference of the Financial and Banking Information Infrastructure Committee (FBIIC) and Financial Services Sector Coordinating Council (FSSCC), Adeyemo emphasized ongoing collaboration to provide risk alerts and security updates to industry stakeholders. He called for expanded cooperation between these groups—established post-9/11—to address emerging systemic risks, including cloud security and data protection challenges. The Treasury’s response validated its strategic shift toward proactive threat intelligence sharing and cross-sector coordination against adversarial cyber campaigns.