Russian intelligence-linked hackers who penetrated the U.S. Treasury Department in the 2020 SolarWinds cyberattack gained the ability to access email accounts across the entire agency, including staff working on sanctions and financial-crime investigations, according to documents obtained through a Freedom of Information Act lawsuit brought by Bloomberg.

The records, pried from a Treasury Office of Inspector General investigation, show that the hackers seized control of a global administrator account for Treasury’s SolarWinds systems on July 6, 2020. Using that access, they made changes to an internal application called Secure Mail that “potentially allowed access to all e-mail addresses ending in ‘treasury.gov,'” OIG special agents wrote in a 2021 memo cited by Bloomberg. Treasury employed approximately 94,000 people at the time of the hack.

The hackers eventually lost access to the emails on October 12, 2020, when a system change inadvertently cut them off. It remains unclear which email accounts were specifically targeted or data exfiltrated, according to a Treasury IT specialist whose account was compromised, Bloomberg said.

A separate set of documents reviewed by the news outlet revealed that one compromised account was connected to more than 300 others, potentially giving the hackers the ability to read, write, edit, and delete information across all of them. The affected accounts belonged primarily to staff focused on technology, international affairs, and terrorism, and financial intelligence, including sanctions, Bloomberg reported.

The news outlet previously reported that the SolarWinds hackers focused specifically on eight email accounts, including those of staff involved in Russia-related investigations. The new FOIA documents show the hackers simultaneously pursued far broader access through separate pathways, according to the report. 

The U.S. government attributes the SolarWinds intrusion to Russia’s Foreign Intelligence Service. The SolarWinds breach was one of three intrusions at Treasury in which alleged Chinese and Russian operatives exploited longstanding cybersecurity vulnerabilities, according to a Bloomberg investigation published last year.