Was Citibank the Victim of a Massive Breach?

Citigroup Denies News Report of Multi-Million Dollar Hack Was Citibank breached by hackers who siphoned tens of millions of dollars from the bank's customers?

The Wall Street Journal on Tuesday reported news of an FBI investigation into an alleged Citibank computer security breach by hackers linked to a Russian cyber gang.

Citigroup executives, however, categorically deny the breach and investigation at Citibank.

"We had no breach of the system and there were no losses, no customer losses, no bank losses," says Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

Few details were given about the alleged attack, which is reported to have involved two other entities, one of them a U.S. government agency. The Citibank attack was reportedly discovered in the summer, but may have actually happened months or even a year earlier. The breach is said to have been detected by law enforcement agents who saw activity on Internet addresses previously used by the Russian Business Network, a Russian-based gang. Two years ago, RBN went quiet, but it is suspected by observers the group has reformed into smaller sects.

Whether the breach did or did not occur, security experts agree on one point: Large banking institutions are under constant attack, and this report should remind them to stay on alert for suspicious activity.

"Bigger banks make bigger targets because there's more booty and more bragging rights to be won from breaking into an institution with a globally recognized brand," says Tom Wills, Security and Fraud Senior Analyst at Javelin Strategy and Research. In the battle with the hacker, it comes down to who has the best security. "And that's something else that no bank will talk to you about in detail. So, you can only really know in hindsight who was the most vulnerable target."

Industry Experts Respond to Report

While the facts of the alleged Citibank breach are open to debate, industry analysts say the report nevertheless sparks warning signs that banking institutions must heed.

"I really can't make the call over who's right until more facts emerge," says Wills. "What I can tell you is that banks are historically reluctant to admit security breaches unless they absolutely have to. It's bad for business."

Dave Shackleford, information security expert and SANS instructor, says there are just not enough details to understand the scope of the breach/attack yet. "First, there is a bit too much hearsay involved here to count as an 'official' story, in my opinion," he says. "It would not surprise me to see a very customized botnet distribution or finance-focused piece of malware that was being run by systems within the RBN. Citi is such a large entity, it would also not surprise me if the entire attack was perpetrated through business partners and extranet connection."

Shackleford predicts that information security professionals will see similar attacks, "much like the US Fighter Jet breach through Northrop Grumman and other defense contractors."

Avivah Litan, a Gartner analyst, says she believes that this alleged attack, if true, may involve the same kinds of man-in-the-browser trojan-based attacks that have already been discussed as risks to banks. "Citibank is certainly under attack," Litan says -- like all other banks, Citi is attacked many times daily

The tools and software that the hackers have at hand are substantial, says one security expert. "There are not a lot of details that anyone is releasing about this [alleged] case. It looks like they are unsure how long their systems [might] have been infected with the "Black Energy" software," says Kevin Prince, CTO of Perimeter E-Security, a security vendor. Prince describes Black Energy as "a Swiss army knife of hacker tools that can do a variety of tasks, including capture bank credentials."

With most large scale breaches, Prince adds, "We find out later that the malware has been installed for many months and sometimes more than a year, such as the case with Heartland, TJ Maxx and others. The sophistication level based on what little data is out there does sounds quite high."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.