The Congressional Budget Office has been breached by hackers that are believed to be affiliated with a foreign actor.

The CBO disclosed the incident on Thursday. According to the Washington Post, CBO officials first discovered the breach a few days earlier. The agency’s information technology team responded by rolling out new cybersecurity controls.

“The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward,” a CBO spokesperson said in a statement.

The CBO is a nonpartisan agency that estimates the cost of new legislation. It also produces other financial data, including long-term projections of government spending and debt. Most of the agency’s 275 staffers are economists and public policy analysts.

It’s unclear what CBO systems were compromised in the breach or how. According to Nextgov/FWC, the hackers may have accessed information on discussions between CBO researchers and Congressional staffers. If that’s the case, they may have stolen nonpublic economic data. 

It’s also possible the hackers sought to access CBO employees’ email accounts and use them to launch phishing attacks against government officials. The Office of the Senate Sergeant at Arms, the Senate’s law enforcement agency, reportedly sent congressional staff a notification about the breach. The office instructed the recipients to avoid clicking on links in emails sent from CBO accounts.

A U.S. official told CNN that Chinese state-backed hackers are believed to be behind the breach. 

TechCrunch, citing cybersecurity researcher Kevin Beaumont, reported that the cyberattack may have exploited a vulnerable ASA firewall. ASA is a series of network security devices made by Cisco Systems Inc. As of last month, the CBO’s ASA firewall was reportedly affected by two recently discovered zero-day vulnerabilities.

It’s believed the CBO last patched its firewall in 2024. It appears to have been taken offline earlier this week.

The two recently discovered vulnerabilities in the ASA firewall series only affect certain legacy models. Additionally, they can be exploited only if customers activate the built-in virtual private networking feature. The capability allows workers to remotely log into business applications. 

Both vulnerabilities affect software components that ASA devices use to filter malicious input. Under certain circumstances, vulnerable devices fail to remove malware from incoming HTTPS requests before processing them. Hackers can exploit that flaw to bypass an ASA firewall’s authentication system and gain root access, which unlocks the ability to install new code on the device. 

In September, Cisco disclosed that hackers had used the vulnerabilities to target U.S. government networks. It’s believed the cyberattacks were part of a state-backed hacking campaign called ArcaneDoor that was first discovered in 2024.

The CBO is the latest in a series of federal organizations breached by foreign actors. Last year, hackers used a technical support tool to compromise the network of the U.S. Treasury Department. The same hackers reportedly breached the Committee on Foreign Investment in the United States.

Photo of CBO headquarters: USCapital/Wikimedia