A group claiming to be affiliated with Anonymous targeted a database belonging to The St. Louis Fed Emergency Communications System, containing information for 4,000+ US bank executive accounts.
“The website allows bank execs to update the Fed if their operations are compromised by disasters such as storms or flooding, thus helping the Fed to assess the overall impact of the event on the banking system,” reported Sophos Security’s Lisa Vaas, in a blog.
The group then published the bankers' personal details on Sunday night during the Super Bowl, including what it said was login information, credentials, IP addresses and contact information – and posted a link to the information on Twitter using #OpLastResort.
In a statement, Richmond Fed IT office spokesman Jim Strader, however, said that “despite claims to the contrary, passwords were not compromised."
He added, "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product. … This incident did not affect critical operations of the Federal Reserve System. … The exposure was fixed shortly after discovery and is no longer an issue."
The breach, regardless, is cause for concern, some say. “Whether Anonymous have managed to obtain usernames, passwords and other sensitive information is worrying, but what is more concerning is the fact that the Federal Reserve was breached in the first place,” said Marty Meyer, president at Corero Network Security, in an email to Infosecurity. “Although they have said no lasting damage was done, this could very easily have been a very different story.”
For now, it’s unclear how the hack was carried out. “Federal Reserve developers in 2011 discovered a cross-scripting bug in Adobe ColdFusion software, used by some Federal Reserve Bank websites,” Vaas said. “Adobe released a patch to fix the weaknesses, which could have been exploited in a cross-site scripting attack that could grant an attacker high-level access privileges to sensitive information by way of injecting malicious client-side scripts. [But] it's not known whether Sunday's breach has anything whatsoever to do with more recent ColdFusion vulnerabilities that were patched on January 15.”
Meyer cautioned that organizations should take the weakness of the central bank as an object lesson. “We can reliably assume that the Federal Reserve is likely to have significant security protections in place to stop cyber security threats, and no matter how the attackers managed to access their networks, it goes a long way to demonstrate that no organization is vulnerable from attack,” Meyer said. “With the right skills and enough motivation, any organization can fall victim to an attack from cyber-criminals.”