Executive Summary

The Congressional Budget Office (CBO), a critical U.S. government agency responsible for providing nonpartisan budget and economic analysis to Congress, confirmed on November 6, 2025, that it had experienced a cybersecurity breach. The incident, which is under active investigation, potentially exposed sensitive government data to malicious actors. While the CBO has not officially attributed the breach to any specific threat actor, multiple independent sources, including statements from Congressional officials and technical analyses, suggest the involvement of a sophisticated foreign nation-state actor. The breach is part of a broader trend of targeted cyberattacks against U.S. government financial and legislative agencies. In response, the CBO has implemented immediate containment measures, enhanced monitoring, and new security controls to protect its systems. The agency continues to operate and support Congressional activities while collaborating with relevant oversight and cybersecurity authorities. The full scope of data compromised has not been publicly confirmed, but there are credible reports of potential access to internal communications between Congressional offices and CBO staff. This incident underscores the persistent threat posed by advanced adversaries to government entities and highlights the importance of robust, proactive cybersecurity measures.

Technical Information

The CBO breach represents a significant cybersecurity incident affecting a core U.S. legislative support agency. The technical details, as reported by multiple sources, indicate that the attack was likely executed by exploiting vulnerabilities in a public-facing network device, specifically a Cisco ASA firewall. Security researcher analysis, cited by TechCrunch, revealed that the firewall had not been patched against a series of critical vulnerabilities discovered in 2024 and 2025. These vulnerabilities were actively targeted by advanced persistent threat (APT) groups, particularly those linked to the Chinese government, in campaigns against U.S. government agencies (TechCrunch, 2025-11-07).

The attack vector aligns with the MITRE ATT&CK technique T1190: Exploit Public-Facing Application, where adversaries leverage unpatched vulnerabilities in internet-facing systems to gain initial access. The firewall in question was reportedly still vulnerable at the time of the breach and was only taken offline after the incident became public. This method of initial access is consistent with previous attacks on U.S. government financial agencies, including the Treasury Department and the Office of the Comptroller of the Currency (OCC), which were also compromised via exploitation of unpatched software and network devices (The Record, 2025-11-07).

No specific malware, post-exploitation tools, or technical indicators of compromise (IOCs) have been publicly disclosed by the CBO or cited in primary sources as of this report. However, similar campaigns exploiting Cisco ASA vulnerabilities have involved the deployment of custom webshells, credential theft utilities, and lateral movement tools by Chinese APTs. The lack of released technical artifacts limits the ability to confirm the exact tools and methods used post-initial access.

The breach was detected in "recent days" prior to public disclosure, and the CBO reported that it identified the incident early, allowing for immediate containment actions. The agency has since implemented additional monitoring and new security controls, though the specifics of these measures have not been detailed in public statements. The House Budget Committee and the House Committee on Homeland Security are actively involved in monitoring the situation and coordinating mitigation efforts.

The CBO manages extensive datasets related to legislative, economic, and policy issues, including sensitive communications between Congressional offices and CBO analysts. While the agency has not confirmed the exact nature of the data accessed, credible reports suggest that internal messages and chat logs may have been compromised. This raises significant concerns regarding the confidentiality of legislative deliberations and the potential for adversaries to gain insight into U.S. economic policy planning.

The incident is part of a broader pattern of nation-state targeting of U.S. government agencies, particularly those involved in financial and legislative functions. In the past year, federal agencies have been repeatedly warned by the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities in widely used products from Microsoft, Cisco, and Oracle, which have been exploited in similar attacks. The CBO breach demonstrates the ongoing risk posed by unpatched systems and the need for continuous, proactive vulnerability management.

Attribution of the attack remains at a medium confidence level. While Congressional statements and technical analysis point to a "complex foreign actor" and align with known Chinese APT tactics, techniques, and procedures (TTPs), there is no direct technical evidence (such as malware samples or network indicators) publicly linking the incident to a specific group. The pattern of targeting, exploitation of known vulnerabilities, and sector focus are consistent with previous Chinese APT operations against U.S. government entities.

In summary, the CBO breach was likely facilitated by the exploitation of an unpatched Cisco ASA firewall, consistent with MITRE ATT&CK T1190. The attack fits within a broader context of nation-state cyber operations targeting U.S. government financial and legislative agencies. The absence of detailed technical disclosures limits the ability to fully assess the attack's scope and impact, but the incident highlights critical lessons regarding patch management, network segmentation, and the importance of rapid detection and response capabilities.

Affected Versions & Timeline

The breach specifically impacted the CBO's network infrastructure, with the primary technical weakness identified as an unpatched Cisco ASA firewall. The firewall had not received security updates addressing vulnerabilities discovered in 2024 and 2025, which were being actively exploited by advanced threat actors at the time of the incident (TechCrunch, 2025-11-07).

The verified incident timeline is as follows: On November 6, 2025, the CBO publicly confirmed the hack and issued a statement regarding the incident (ABC News, 2025-11-06). On November 7, 2025, additional details and sector analysis were published by multiple outlets, including Federal News Network and The Record (Federal News Network, 2025-11-07; The Record, 2025-11-07). The breach was discovered in the days immediately preceding the public disclosure, and the agency reported early detection and rapid containment actions.

The CBO has not disclosed the specific versions of software or systems affected beyond the reference to the Cisco ASA firewall. No other products or platforms have been publicly identified as compromised in this incident.

Threat Activity

The threat activity associated with the CBO breach is characterized by the exploitation of a known vulnerability in a public-facing Cisco ASA firewall. This method is consistent with the MITRE ATT&CK technique T1190: Exploit Public-Facing Application, which involves attackers leveraging unpatched vulnerabilities in internet-accessible systems to gain unauthorized access.

Technical community analysis, as reported by TechCrunch, suggests that the firewall was vulnerable to a series of security bugs that were being actively exploited by Chinese government-backed hackers in 2024 and 2025. These campaigns typically involve the deployment of custom webshells, credential theft tools, and lateral movement techniques to access sensitive internal data. However, in the case of the CBO breach, no specific malware or post-exploitation tools have been publicly identified.

The attack is part of a broader trend of nation-state targeting of U.S. government agencies, particularly those involved in financial and legislative functions. Previous incidents, such as the breaches of the Treasury Department and the OCC, involved similar exploitation of unpatched systems and resulted in the exfiltration of highly sensitive information. The CBO breach fits this pattern, with credible reports indicating that internal communications between Congressional offices and CBO staff may have been accessed.

Attribution to a specific threat actor remains unconfirmed by the CBO, but Congressional statements and technical analysis point to a "complex foreign actor," with circumstantial evidence suggesting Chinese APT involvement. The lack of direct technical artifacts, such as malware samples or network indicators, limits the confidence of this attribution.

The incident underscores the persistent threat posed by advanced adversaries to government entities and highlights the importance of timely patching, network segmentation, and robust monitoring to detect and contain such attacks.

Mitigation & Workarounds

In response to the breach, the CBO has taken immediate action to contain the incident, implemented additional monitoring, and deployed new security controls to protect its systems (Federal News Network, 2025-11-07; ABC News, 2025-11-06). While the agency has not provided detailed information about the specific measures taken, the following mitigation strategies are recommended based on the technical analysis of the incident and the broader threat landscape:

Critical: Immediate patching of all public-facing network devices, especially Cisco ASA firewalls, to address known vulnerabilities exploited in recent campaigns. Organizations should verify that all security updates released in 2024 and 2025 have been applied and that no unsupported or end-of-life devices remain in production environments.

High: Enhanced network monitoring and intrusion detection capabilities should be deployed to identify and respond to suspicious activity. This includes the use of advanced endpoint detection and response (EDR) tools, network traffic analysis, and real-time alerting for anomalous behavior.

High: Segmentation of sensitive internal networks from public-facing systems is essential to limit lateral movement opportunities for attackers. Access controls should be reviewed and strengthened to ensure that only authorized personnel can access critical data and systems.

Medium: Regular security assessments and penetration testing should be conducted to identify and remediate vulnerabilities before they can be exploited by adversaries. This includes both internal and external assessments, as well as red team exercises simulating nation-state attack scenarios.

Medium: Comprehensive incident response plans should be updated and tested to ensure rapid containment and recovery in the event of a breach. This includes clear communication protocols, coordination with law enforcement and regulatory agencies, and post-incident review processes.

Low: Ongoing security awareness training for all staff, with a focus on recognizing phishing attempts and social engineering tactics commonly used by advanced threat actors.

The CBO's actions to contain the breach and implement new security controls are consistent with best practices for responding to sophisticated cyberattacks. However, the incident highlights the need for continuous improvement in vulnerability management, monitoring, and response capabilities across all government agencies and organizations handling sensitive data.

References

Federal News Network, November 7, 2025: https://federalnewsnetwork.com/cybersecurity/2025/11/the-congressional-budget-office-was-hacked-it-says-it-has-implemented-new-security-measures/

ABC News, November 6, 2025: https://abcnews.go.com/Technology/wireStory/congressional-budget-office-hacked-implemented-new-security-measures-127276744

The Record, November 7, 2025: https://therecord.media/cbo-implements-controls-following-cyberattack-reports

TechCrunch, November 7, 2025: https://techcrunch.com/2025/11/07/congressional-budget-office-confirms-it-was-hacked/

MITRE ATT&CK T1190: https://attack.mitre.org/techniques/T1190/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks within their vendor and partner ecosystems. Our platform enables continuous visibility into external attack surfaces, supports rapid detection of emerging threats, and facilitates evidence-based risk mitigation strategies. For questions regarding this incident or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.