Scott Shober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss a cyberattack on the Office of the Comptroller of the Currency. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing forensic information on all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott Schober, cyber expert and author of the popular books "Hacked Again" and "Senior Cyber." Scott, thanks for joining me today.
Scott: Yeah, wonderful to be here with you, David.
David: So, as usual, there's some interesting breaches going on out there. This is one that's come to light pretty recently, as seems to be the way these days. It's actually a breach that happened a while ago, and we're only finding out about it now. This is a pretty important government agency, the Office of the Comptroller of the Currency—the OCC. Tell me about it. What happened?
Scott: Yeah, I'm glad you said that out, because that's a mouthful, that's for sure, and they're a, I guess, an independent bureau of the US Department of the Treasury. Honestly, I don't know if I've ever even heard of them, but they're apparently very important. What happened was some unauthorized access, and the part that again caught my eye right away with this story was that it went undetected for over eight months. Until, I guess, more recently, February 2025, roughly, when they detected it and the attackers accessed around 150,000 emails, including about 100 bank regulators. So you're talking serious things, especially anything tied to money, is serious, obviously, because we know the ramifications that can actually come out. I think it was identified initially by Bloomberg Law News, which reported on and identified it back on February 11th. They're just with routine security monitoring. So the question I immediately started to think about was, "Wow. How does this happen?" Not just a breach of this magnitude, but it goes on so long before anybody even notices it. And that's an incredible concern, because all of these breaches, when we analyze them, when there's a time period in between when it's first detected and when it actually happened, the bad guys can do a lot of things. And I think in this case, the initial compromise, when it happened, the hackers gained control of the system administrators' email accounts, and that kind of granted them elevated access to privileges. And once you get administrative access, now you can kind of go through and take a look at the different emails and extract sensitive information from various OCC employees. So you're really kind of garnishing this valuable data from all these different employees, and that, I guess, the fact that it was such a delayed detection of it allowed them to get away with a lot of things and collect a lot of sensitive information. And I was trying to think of a maybe a fitting analogy, and one thing that came to mind was it reminded me of, like a janitor with almost like this, "Master Key." The hackers didn't just sneak in, but they stole the digital equivalent of a master key and now they're wandering through all the offices undetected for over 8 months. Anybody who would hear that would go. "What's going on? That's crazy. How could that happen?" Well, the same thing did just happen.
David: It happens quite a lot. Actually, I mean, this is the whole problem with email credentials being compromised, is, if you can kind of convincingly sneak your way into an email system, you can kind of watch what's going on and just learn an awful lot about an organization. I mean, this isn't just about stealing information. This is about stealing process. It's about stealing stuff that's not really meant to be public. This is the internal conversations of a very significant government agency that's doing important work, managing the economy. You know this sort of thing. You'd like to believe that this isn't public knowledge, you know, these things are done in, not in shadows, but done, you know, in private, because they have to have candid conversations about the economy, for example, or whatever they're doing, programs that are changing. Whatever is being discussed. Email is certainly the de facto way of doing that in any organization, and if you have someone in the conversation that's not meant to be there, it could be very potentially compromising, as certainly as the Department of Defense has learned to great dismay over the past couple of months. I mean, it really is not a good thing to have someone who's not meant to be there. That looks like they are.
Scott: Yeah, surprise, right? And I guess in this particular case, I think the breach kind of underscores for us as we're analyzing it, how a single compromised account can really jeopardize an entire organization's security. It helps you kind of step back from it and reflect upon it. So, just having education in particular areas, while being good, really helps us underscore that we've got to have the entire organization have proper education to keep data strong. And we've talked before about the importance of strong, unique passwords, enabling multi-factor authentication, the importance of really being cautious in emails, especially not clicking on things, attachments, and things that redirect and going down that rabbit hole there, keeping up with software updates. So all of those things still hold true. But maybe, in addition to that, with organizations, especially on the government level, I think they need to do even more. They need to have more advanced or enhanced monitoring where they're looking for maybe these anomalies and an anomaly detection system that will pull up things and say, "Hey, this is a little strange here, let's investigate this before you know. What was it? Eight months go by"—which is just alarming. Access controls regular audits of administrative accounts, especially here, because, in a sense, once you have access to an administrative account, you've got the keys to the kingdom. You could really cause a lot of damage within an organization within the government, in this particular case. Even doing some basic risk analysis and third-party risk management, where they can assess different things and monitor different things about third-party security practices, because you think about how many people work with the government. Well, how cybersecure are they? It's not just you as an entity or an organization, but your partners, those that you work with, are they up to snuff with the cybersecurity? And I think that's important to have those conversations and to really go in there and assess it and monitor it to make sure that they're saying they're not just "checking the boxes," as we say, because often people do that. And then, of course, having in place some type of incident response planning. So you have a plan that addresses potential breaches. But promptly, how do you respond to this? Without some of those basic things in place, it could be disastrous. And I think, unfortunately, we talk about this far too often. Yet it happens again, and it happens again, and it happens again. Because many of these organizations and government-related entities are not doing the basics that they should be doing.
David: Well, these days, and we talk about this being an administrative account, particularly the administrator accounts, you'd think that they would be secured using two-factor authentication. Send me a code when I log in. I mean, people feel that that's an imposition sometimes. A lot of the users don't like that. But the fact is, if you have the authority to manage other people's emails, particularly in this kind of sensitive environment, you just really should expect to have to do a little bit more when it comes to security. It doesn't seem like a really contentious thing to say something like that, but I get the impression that's just not happening.
Scott: No, and I think if the conversation was back 10 years ago, I could understand it. People didn't understand the importance of MFA. It was a burden, and it wasn't necessarily that easy to migrate over to it. Now, I think, for people that have good cyber hygiene, it's second nature. I'm not going to log on to a secure site without having that as a minimum to authenticate who I am, because we know how easy it is to compromise basic login credentials these days, not to mention MFA has been compromised in extreme cases. If somebody wants to get in, they're going to do it. But if you put those basic levels or layers, I should say, of security in place, that will really help greatly. So I just always encourage people, hopefully to the listeners: Please make sure that you're using MFA as part of your every single day login procedure. If you're not doing it, take a look at it. It's usually free. It's not that hard. Once you adjust to it, it just becomes a mindset, just like you put your seatbelt on when you're driving. You look in your rearview mirror before you put the car into reverse because you don't want to cause a problem.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time. While providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now back to the podcast.
David: It's interesting with this particular breach that you know, it took a while to discover. We found out that it was apparently discovered earlier this year in February, and we're only hearing about it now, really. I had a look through the OCC's disclosure. We'll call it "Walk of Shame," where they admit what it was that they just didn't do. It's an interesting document. This is what we found out. We should have been doing this years ago, and sorry about that. And apparently, they didn't actually even know about the breach. They were told about it by Microsoft, which said it had noticed what the OCC called "unusual interactions between a service account in Microsoft's Azure Office Automation environment and OCC user mailboxes hosted by Microsoft." Unusual interactions. I mean, someone's got to be watching out for this stuff. But it's got to be pretty confronting when you're told by one of your technology suppliers. "By the way, you guys have been monitored for a fairly long time."
Scott: Oh, yeah. And unfortunately, they're not alone in this. We could probably run down the list of not just dozens, but hundreds of companies that have a similar tale as this, and that's the part that I think kind of breaks your heart when you hear these type of things, and and I always back up, and probably yourself, too, when we ask the questions. Well isn't anybody monitoring this? Isn't anybody watching? Didn't the red flags go up at any point in this? And usually the answer is, no, they didn't, but they learned something from it. Unfortunately, these are all small lessons or big lessons in learning the damage and the cleanup creates a different culture, a cyber culture within an organization or a government entity. Of course, until the new regime comes in, and then they start all over again. Unfortunately, and new people are in to try to secure things.
So I think cyber criminals realize the cycle. They realized how many people can be lax in many ways, and if you dig in, and again, we don't have any certainty on this. But as I was digging into the story a little bit, they said there were suspected ties to Chinese hackers, and it was mentioned there about Silk Typhoon, was yet another attack attributed to Silk Typhoon, had a lot of resemblance to this, and those specific attacks were the Office of Foreign Asset Control Committee on Foreign Investment in the US, The Office of Financial Research. What does that tell us? That tells us they probably had their hand in several cookie jars, trying the same tactics, and they work. Cyber criminals will always gravitate toward what works, what's efficient to get in. And then they're going to spread that across many different, in this case, branches of the government or departments within the government. So to me it highlights the really, the critical importance of having robust cybersecurity measures, continually monitoring, being proactive in risk management to protect sensitive government data. If they're not doing that, they're just going to keep chipping away (the cyber criminals) until they get in and compromise yet a different branch.
David: It's so true, and I think anybody in government these days should just assume that they're being targeted by nation-state actors. If it isn't one country, it's another. You mentioned Silk Typhoon, which was found to have targeted the Office of Foreign Assets Control, which is the organization that apparently administers trade sanctions, economic sanctions, and the Committee on Foreign Investment in the US. I think there would be a lot of interest in a group like Silk Typhoon knowing what's going on inside the government in the midst of a massive trade war. Significantly, this OCC breach we were talking about actually predates the new Trump administration and these tariffs. So that's a sign that this stuff's just going on all the time, and it only intensifies when the geopolitical situation changes in the way that it has.
Scott: Yeah. Yeah. And again, we don't want to. At least, I don't want to focus on politics, because that's a different rabbit hole to get down. But you're so right. When you think about it, and as their administrative changes, these cybercriminal groups are in the government systems. We could start to see how dangerous it is. I mean, you look at some of the disasters with even some of the basic communications with the government using Signal, which is a secure app that is encrypted. But if it's not properly monitored and used correctly, or not approved. Well, guess what? They probably shouldn't be using it. So when people stretch it and go outside of the norm, and take things into their own hands. There's going to be consequences. And I think here they really have to stick to staying on top of what's considered government-level, secure information, data, documents, make sure that they're regularly analyzing this. The questions that popped into my head right away is, do they have it set up so there's a Zero Trust Architecture? You know those types of things. And we talked already about auditing the administrative privileges on a regular basis. Where are they doing that? These type of stories and articles really don't dive in there. And there's a lot of great detection software now. Companies that specialize in things that will even look at something as simple as behavioral analytics, and if they see something, they'll instantly flag it. Hey, here's suspicious activity. Let's analyze this before it turns into a pumpkin and a disaster down the road, eight months later, when you suddenly discover and go. Oh, no! What happened here? So I think a lot of things could have and should have been done to prevent this unfortunate disaster that happened.
David: It's very, very true. One of the things about email as well is that it is inherently open, probably is the word that I'm looking for. Everybody has email. Email is very easy to send. It's easy to receive. It's meant to be easy to engage with, and it is generally. I mean, is there a case to be made that within these sorts of organizations, that perhaps it is a good idea to keep these kinds of conversations off of email as an "open platform" and move them to like a Slack sort of environment or something where at least it's a it's a closed internal communication system, where at least you can have an idea of who's you know who's listening?
Scott: Yeah, I think that's brilliant. Because to me, anything I put in email, my assumption is, it's not private. And a lot of people will say that to it. They're like, what are you talking about? Of course it's private. I don't share it with everyone I'm like, well, is it on your computer? Is it on your mobile device? You're using a Gmail or a Yahoo mail, or a Hotmail, or whatever. Well, guess what? It's not private, it's not secure. It doesn't have proper end-to-end encryption. There are areas that can be exploited, it can be looked at, it could be parsed, and key information could be pulled out and used for wrongful purposes. It can be sold. So when you think about that, and if someone tells you that it was just dealing with that with somebody recently. They were being stalked and had problems. And immediately I started explaining to them, I said, Well, you're using Gmail, and you're using this. You don't have a secure connection when you're texting. You don't, I said. So, that's kind of what happens. You can't be out there in the public and expect to have some level of perceived privacy, especially now, when you look at government-level information and data. It should be protected, it should be properly handled, and it should be monitored, so it can't be compromised. So, a lot of strikes they have against them, I'm sure. Are these learning lessons? Perhaps. However, if you, if you go back in time the last few years. The last decade. This keeps happening. It hasn't necessarily gotten better. It hasn't been resolved. People haven't learned their lesson per se. And I think if ever,more and more, we're tied into having digital footprints, we're tied into using email and wireless communications and the Internet of Things, and depending on the Internet. As long as we consume and utilize these means of communication, we have to, the onus is on us as individuals, as businesses on government agencies to take the initiative and make sure that it is safe.
David: Wise words, Scott. Thank you so much for your time today. It's been great to chat.
Scott: Yeah, thanks for having me on there. Stay safe.
David: My guest today was Scott Schober, cyber expert and author of the popular books "Hacked Again" and "Senior Cyber."
The data security podcast is sponsored by Cimcor. Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
