In late April 2015, attackers succeeded in hijacking the domain name servers for the Federal Reserve in St. Louis. The attack redirected web searches and queries for legit pages to a web page set up by the attackers. The purpose was to intercept traffic, especially login details.
The Fed’s advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”
The communique, shared by an anonymous source with independent security researcher Brian Krebs, added that “computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”
The sites are mainly for retrieving useful archived economic data for research purposes. Despite the seemingly low-level sensitivity of the data, the bank is taking action: The next time users log into their accounts, they will be asked to change their passwords. And critically, they have been warned that if they use the same credentials for other sites, that they will need to change those too.
“Unless hackers were really into some serious economic research, the likely target of this attack was not the FRB data, but rather the users of this data,” Igor Baikalov, chief scientist at Securonix, said in an email. “Attackers could have harvested credentials on the spoofed pages (hoping for password reuse on other, more sensitive websites), or implanted malware for later access to the user computer. There's not much the affected users can do to protect themselves: as the statement noted, changing password is a good idea; scanning user computer with updated anti-virus signatures might also help to detect malware. St. Louis Fed has to closely monitor affected applications for any anomalies in access and user behavior to detect potential intruders and prevent them from using the Fed's systems as a stepping stone for other attacks, similar to the State Department hack.”
The St. Louis Fed’s website itself was not compromised. “It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator,” Krebs said.
He added that he believes that given the time lag between the event and the disclosure (roughly three weeks) it seems likely that it is related to state-sponsored hacking activity from a foreign adversary.
“If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal,” he said.
The St. Louis Federal Reserve is one of 12 regional Fed organizations, and serves banks located in all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee.