The US Federal Reserve was breached 50+ times between 2011 and 2015, including several instances of espionage likely carried out by nation-state hackers.
The United States’ central bank is a high-value target, given the Fed's role in setting interest rates and its influence on global financial markets. Insider information for instance would benefit China and Russia, which hold a significant chunk of the US’ $13.8 trillion federal debt.
“Given the Fed’s responsibilities and sphere of economic influence, I think it’s natural for people to assume that it owns and operates one of the most secure IT systems in the world…but an internal audit showed critical vulnerabilities,” Yorgen Edholm, CEO of Accellion, told Infosecurity. “With criminal syndicates and foreign governments now actively involved in cybercrime, I don’t think any company or agency is safe. Nevertheless, organizations like the Fed have an imperative to deploy the best possible cybersecurity defenses available—but they have to make this a priority. Being hacked is bad enough. Being hacked after being told you have serious flaws in your defenses and processes is much worse.”
While no attribution was given, Fed records acquired by Reuters through a Freedom of Information Act request show at least 140 hacking attempts in the time period; out of those attempts, there were 51 cases of "information disclosure" involving the Fed's board.
Eight were information breaches that took place at a critical time period between 2011 and 2013—when the Fed's trading desk was buying massive amounts of bonds to counteract a sliding economy. Hackers used malware to exfiltrate the information.
Four hacking incidents in 2012 were considered acts of "espionage," according to the records—and at least two of those resulted in information leakage.
The 50+ number is actually likely quite low—Reuters pointed out that the records represent only a slice of all cyberattacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws.
That means that Reuters did not have access to reports by local cybersecurity teams at the central bank's 12 privately owned regional branches. But these are also targets: Hackers recently stole $81 million from a Bank Bangladesh account at the New York Fed. And British activist Lauri Love is accused of infiltrating a server at a regional Fed branch in October 2012, stealing names, e-mail addresses and phone numbers of Fed computer system users.
There is likely more information to be gleaned from the documents, but the records were heavily redacted and granular details of the incidents were not available.
“The US Federal Reserve plays a critical role in global banking, so it’s no surprise that details about these breaches were kept under wraps,” said Vishal Gupta, CEO of security startup Seclore, via email. “However, it’s a reminder that cyber-criminals continue to be 10 steps ahead of our government. This is unacceptable. A single breach of the US Federal Reserve could have catastrophic consequences to the national and global economy. At what point do we say ‘enough is enough?’”
Also, the fact that there has been a steady stream of security breaches over the span of five years is a red flag, he added.
“When hackers reportedly stole $81 million from a Bank Bangladesh account at the New York Fed in May, panic ensued,” Gupta said. “Without knowledge about how these hacks occurred and what the damage was, we can’t determine the best course of action. What is clear is that our defenses are lacking, and we need to protect our data right down to the most granular level if we want to get ahead of cyber-criminals."
Photo © Joseph Sohm