Cyber Incident Victim: Department of the Treasury
Date:
Dec 2020
Location:
United States of America
Summary
A sophisticated foreign state-backed hacking group breached the U.S. Department of the Treasury and an agency overseeing internet and telecommunications policy, exfiltrating sensitive information. The intrusion was linked to the SolarWinds supply chain compromise, utilizing the SUNBURST backdoor to infiltrate multiple high-profile victims. Microsoft and FireEye provided technical guidance for detecting and mitigating the threat, while the Department of Homeland Security issued an emergency directive urging organizations to address vulnerabilities in SolarWinds Orion software. The U.S. government acknowledged the incident and initiated remediation efforts, characterizing the attack as part of a broader coordinated campaign leveraging third-party vendor infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 13, 2020, a sophisticated hacking group supported by a foreign government breached the U.S. Department of the Treasury and an unnamed U.S. agency responsible for internet and telecommunications policy. The attackers successfully exfiltrated sensitive information from both organizations, though the specific nature and scope of the stolen data were not disclosed in initial reports. This incident emerged amid broader cybersecurity concerns following FireEye's recent disclosure of a separate breach, with investigators soon linking the Treasury compromise to a supply chain attack involving SolarWinds' Orion software. Microsoft and FireEye subsequently published technical guidance for detecting and removing the threat actor's malware, identified as the SUNBURST backdoor, which had been distributed through malicious updates to SolarWinds' network management products. The Department of Homeland Security issued an emergency directive mandating mitigation of the SolarWinds Orion code compromise across federal systems.
The U.S. government acknowledged the breach through National Security Council spokesman John Ullyot, stating officials were "aware of these reports" and taking "all necessary steps to identify and remedy any possible issues." SolarWinds released an official statement addressing the compromise of their software supply chain while cybersecurity firms continued updating their analysis of the SUNBURST malware's evasive capabilities. The incident represented a significant escalation in state-sponsored cyber operations due to both the high-profile targets and the novel supply chain attack methodology. Response efforts focused on threat detection across affected SolarWinds Orion deployments, removal of the persistent backdoor, and assessment of compromised systems within the Treasury and telecommunications policy agency. Technical reports emphasized the attackers' sophisticated tradecraft in maintaining stealth while leveraging the trusted software update mechanism to infiltrate multiple high-value targets.