Cyber Incident Victim: United States Department of the Treasury
Date:
Jul 2020
Location:
United States of America
Summary
The Treasury Department’s email system was compromised after attackers gained control of a high‑level administrator account for its SolarWinds Orion software, using that access to modify the Secure Mail application and potentially open all treasury.gov addresses to intrusion. The breach persisted for several months before an inadvertent system change by the department disrupted the attackers’ access. Officials involved said they could not determine which specific messages were viewed or whether any data was actually exfiltrated.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2020 the Texas‑based information management company SolarWinds was targeted by an elite, possibly Russia‑affiliated entity that used a combination of social engineering and technical hacking to compromise its Orion Platform software. The compromised Orion updates were distributed to SolarWinds’ clients, turning the software into a malware dispenser that installed spying tools on victim networks. Among the clients were high‑level U.S. government organizations including the White House and the National Security Agency, which gave the attackers access to communications networks that handle classified information. The overall compromise persisted for approximately nine months through most of 2020.
According to a redacted Treasury Department inspector general’s report released after a Freedom of Information Act lawsuit, the highest level administrator account for Treasury’s SolarWinds software was compromised on July 6 2020. The attackers used that privileged account to modify an application referred to as Secure Mail, a change that the report states potentially allowed access to every e‑mail address ending in treasury.gov. This access remained in place until October 12 2020, when Treasury apparently made an inadvertent system change that terminated the attackers’ presence. The individual who operated the compromised administrator account told investigators that they did not know which specific e‑mail messages were viewed or whether any data was actually exfiltrated.
The inspector general’s findings represent only a portion of the broader nine‑month exposure, providing insight into roughly four months of the Treasury‑specific intrusion. No further details about data loss, manipulation, or subsequent remedial actions were disclosed in the released report. The revelation that Treasury e‑mail accounts were accessible underscores the extent to which the SolarWinds supply‑chain compromise penetrated senior government communications. The incident contributed to the wider reassessment of federal software supply‑chain risk management following the discovery of the campaign.