Critical Infrastructure Security, Email security, Breach

Nation-state actor suspected of CBO cyberattack

Person holding smartphone with logo of US agency Congressional Budget Office (CBO) on screen in front of website. Focus on phone display

(Adobe Stock)

The Congressional Budget Office (CBO) on Nov. 6 was the target of a cyberattack reportedly by a suspected nation-state threat actor that potentially exposed important communications in which congressional offices and nonpartisan researchers share information about pending legislation.

Few details as to the nature of the attack were disclosed, but the CBO said it implemented additional monitoring and security controls to further protect the agency.

“The incident is being investigated and work for the Congress continues," said Caitlin Emma, a CBO spokesperson. “Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats.”

Security experts saw this attack on the CBO as a strategic move by the suspected nation-state actor. The CBO runs economic projections for members of Congress, and every bill taken up in the House or Senate receives a CBO score for how it impacts the deficit.

"The strategic implications here are pretty severe,” said Aaron Beardslee, manager of threat research at Securonix. “Adversaries now potentially possess advanced knowledge of U.S. fiscal policy direction, economic forecasts, and legislative cost analyses before they become public."

Beardslee said this intelligence advantage allows hostile nation-states to position themselves economically, anticipate policy shifts, and potentially influence market reactions or diplomatic negotiations. Beardslee said the compromised data includes analysis on sensitive policy areas, including mass deportation plans, tariff implementations, and major tax legislation, giving adversaries insight into both economic vulnerabilities and political priorities.

“This represents classic strategic espionage — not financially motivated cybercrime — aimed at long-term geopolitical positioning,” said Beardslee. “This also correlates well with the potential geopolitical activity we have seen from China in the last year, where nation-state actors are focusing on keeping footholds, rather than acting quickly on short-term gains like data exfiltration or crypto theft.”

John Carberry solution sleuth, at  Xcape, Inc., pointed out that the CBO possesses sensitive, pre-decisional data on U.S. fiscal policy and economic plans. Carberry said initial investigations point to attackers breaching a compromised email gateway, maintaining undetected access for weeks. He added that this extended access potentially enabled the theft of sensitive fiscal data, including financial forecasting models and internal communications, which the attacker could exploit for political or economic advantage.

“The CBO has implemented increased monitoring and controls, and Senate security has advised staff to carefully review all CBO-related communications,” said Carberry. “Currently, it's prudent to assume exposure: security teams should enable phishing-resistant MFA, verify sender domains, quarantine suspicious attachments/links, and instruct users to confirm requests through alternative channels. If your office shares drafts or forecasts with the CBO, review the shared information and prepare advisories for affected individuals. Although the full implications are unclear, this is a deliberate attack on the integrity of U.S. policy making, not a random act.”

Jeff Liford, associate director at Fenix24, underscored that we still don’t have many details about exactly what’s at play here. Liford said it looks like it’s at least an email/account compromise, mainly because officials are warning about leaked communications and the possibility of highly targeted phishing communications. However, there isn’t an indication whether it’s more pervasive than that. 

“We don’t know if they caught them immediately, or if they’ve been in the system for months or years,” said Liford. “Nation-state actors frequently carry out years-long campaigns and seek to achieve deep systemic compromises, and they can be difficult to evict once they are established.”

Denis Calderone, principal, COO, and CRO at Suzu, Inc., added that the CBO breach illustrates a fundamental third-party risk challenge: Small government offices like the CBO serve as interconnected nodes within larger ecosystems, and the fact that congressional offices have reportedly halted emails with the agency reveals legitimate concerns about attackers exploiting these trusted relationships for lateral movement.

“Adversaries increasingly target smaller organizations not as end goals, but as stepping stones to access more valuable networks, and the CBO's constant communication with lawmakers creates numerous potential pivot points,” said Calderone. “This incident reinforces that organizational security is only as strong as the weakest link in the trusted third-party ecosystem.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Attack VectorBring Your Own Device (BYOD)EavesdroppingEmail SpoofingInternet Message Access Protocol (IMAP)Post Office Protocol, Version 3 (POP3)SpamStore-and-Forward

You can skip this ad in 5 seconds