Russia says foreign spies plan cyber attack on banking system

A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin

By Christian Lowe and Natalia Zinets

MOSCOW/KIEV (Reuters) – Russia said on Friday it had uncovered a plot by foreign spy agencies to sow chaos in Russia’s banking system via a coordinated wave of cyber attacks and fake social media reports about banks going bust.

Russia’s domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast.

The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement.

“It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals,” it said.

“The FSB is carrying out the necessary measures to neutralize threats to Russia’s economic and information security.”

The statement did not say which countries’ intelligence agencies were behind the alleged plot.

SITUATION ‘UNDER CONTROL’

Russia’s central bank said it was aware of the threat and was in constant contact with the security services. In a statement sent to Reuters, it said it had drawn up a plan to counteract any attack.

“The situation is under control. Banks have been given necessary guidance,” the central bank said.

Anton Onoprichuk, director of Kiev-based BlazingFast, said neither the FSB nor any other intelligence agency had been in touch with his company. He told Reuters he was waiting for more information so his firm could investigate.

Asked if his servers could be used to mount a cyber attack he said: “Technically it is possible. It is possible with any hosting company, where you rent a server. You can attack whatever (you want) from it and in 99 percent of cases it will become known only after the event.”

Russia has been on high alert for foreign-inspired cyber attacks since U.S. officials accused the Kremlin of being involved in hacks on Democratic Party emails during the U.S. presidential election.

U.S. Vice President Joe Biden said at the time that the United States would mount a “proportional” response to Russia.

Since then, there have been a number of cyber attacks affecting Russian institutions, though it is unclear if they were linked to the row between Moscow and Washington.

In October, a network of Ukrainian hackers released a cache of emails obtained from the account of an aide to Kremlin adviser Vladislav Surkov.

And on Nov. 11, Russian lenders Sberbank and Alfa Bank said they had been hit by cyber attacks

Sberbank on Friday declined to comment on the FSB’s statement. The press service of VTB, Russia’s second-largest state-run lender, said its security systems guaranteed clients’ transactions were completely protected.

(Additional reporting by Natalia Zinets in KIEV, Elena Fabrichnaya and Kira Zavyalova in MOSCOW; Writing by Christian Lowe; Editing by Andrew Osborn)

Hackers stole over 2 billion roubles from accounts in central bank Russia

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration

MOSCOW (Reuters) – Hackers have stolen more than 2 billion roubles ($31.3 million) from banks’ correspondent accounts in Russian central bank, the central bank official Artyom Sychyov told a briefing on Friday.

He added that hackers attempted to stole around 5 billion roubles.

Hackers broke into accounts at the Russian central bank earlier this year by faking a client’s credentials and attempted to steal $45 million, the bank said in a report released earlier on Friday.

(Reporting by Andrey Ostroukh and Elena Fabrichnaya; writing by Katya Golubkova; editing by Vladimir Soldatkin)

FBI to gain expanded hacking powers as Senate effort to block fails

Password on Computer Screen

By Dustin Volz

WASHINGTON (Reuters) – A last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government’s hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump.

Democratic Senator Ron Wyden attempted three times to delay the changes, which will take effect on Thursday and allow U.S. judges will be able to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate’s second-ranking Republican.

The changes will allow judges to issue warrants in cases when a suspect uses anonymizing technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.

Magistrate judges can currently only order searches within the jurisdiction of their court, which is typically limited to a few counties.

In a speech from the Senate floor, Wyden said that the changes to Rule 41 of the federal rules of criminal procedure amounted to “one of the biggest mistakes in surveillance policy in years.”

The government will have “unprecedented authority to hack into Americans’ personal phones, computers and other devices,” Wyden said.

He added that such authority, which was approved by the Supreme Court in a private vote earlier this year, but was not subject to congressional approval, was especially troubling in the hands of an administration of President-elect Trump, a Republican who has “openly said he wants the power to hack his political opponents the same way Russia does.”

Democratic Senator Chris Coons of Delaware and Republican Senator Steve Daines of Montana also delivered speeches voicing opposition to the rule changes.

The U.S. Justice Department has pushed for the changes to the federal rules of criminal procedure for years, arguing they are procedural in nature and the criminal code needed to be modernized for the digital age.

In an effort to address concerns, U.S. Assistant Attorney General Leslie Caldwell wrote a blog post this week arguing that the benefits given to authorities from the rule changes outweighed any potential for “unintended harm.”

“The possibility of such harm must be balanced against the very real and ongoing harms perpetrated by criminals – such as hackers, who continue to harm the security and invade the privacy of Americans through an ongoing botnet, or pedophiles who openly and brazenly discuss their plans to sexually assault children,” Caldwell wrote.

A handful of judges in recent months had dismissed evidence brought as part of a sweeping FBI child pornography sting, saying the search warrants used to hack suspects’ computers exceeded their jurisdiction.

The new rules are expected to make such searches generally valid.

Blocking the changes would have required legislation to pass both houses of Congress, then be signed into law by the president.

(Reporting by Dustin Volz, editing by G Crosse)

British banks keep cyber attacks under wraps to protect image

worker going to Canary Wharf Businesses

By Lawrence White

LONDON (Reuters) – Britain’s banks are not reporting the full extent of cyber attacks to regulators for fear of punishment or bad publicity, bank executives and providers of security systems say.

Reported attacks on financial institutions in Britain have risen from just 5 in 2014 to 75 so far this year, data from Britain’s Financial Conduct Authority (FCA) show.

However, bankers and experts in cyber-security say many more attacks are taking place. In fact, banks are under almost constant attack, Shlomo Touboul, Chief Executive of Israeli-based cyber security firm Illusive Networks said.

Touboul cites the example of one large global financial institution he works with which experiences more than two billion such “events” a month, ranging from an employee receiving a malicious email to user or system-generated alerts of attacks or glitches.

Machine defenses filter those down to 200,000, before a human team cuts that to 200 “real” events a month, he added.

Banks are not obliged to reveal every such instance as cyber attacks fall under the FCA’s provision for companies to report any event that could have a material impact, unlike in the U.S. where forced disclosure makes reporting more consistent.

“There is a gray area…Banks are in general fulfilling their legal obligations but there is also a moral requirement to warn customers of potential losses and to share information with the industry,” Ryan Rubin, UK Managing Director, Security & Privacy at consultant Protiviti, said.

SWIFT ACTION

Banks are not alone in their reluctance to disclose every cyber attack. Of the five million fraud and 2.5 million cyber-related crimes occurring annually in the UK, only 250,000 are being reported, government data show.

But while saving them from bad publicity or worried customers, failure to report more serious incidents, even when they are unsuccessful, deprives regulators of information that could help prevent further attacks, the sources said.

A report published in May by Marsh and industry lobby group TheCityUK concluded that Britain’s financial sector should create a cyber forum comprising bank board members and risk officers to promote better information sharing.

Security experts said that while reporting all low level attacks such as email “phishing” attempts would overload authorities with unnecessary information, some banks are not sharing data on more harmful intrusions because of concerns about regulatory action or damage to their brand.

The most serious recent known attack was on the global SWIFT messaging network in February, but staff from five firms that provide cyber security products and advice to banks in Britain told Reuters they have seen first-hand examples of banks choosing not to report breaches, despite the FCA making public pleas for them to do so, the most recent in September.

“When I moved from law enforcement to banking and saw what banks knew, the amount of information at their disposal, I thought ‘wow’, I never had that before,” Troels Oerting, Group Chief Information Security Officer at Barclays and former head of Europol’s Cyber Crime Unit, said.

Oerting, who joined Barclays in February last year, said since then banks’ sharing of information with authorities has improved dramatically and Barclays shares all its relevant information on attacks with regulators.

Staff from five firms that provide cyber security products and advice to banks in Britain told Reuters they have seen first-hand examples of banks choosing not to report breaches.

“Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” one of the sources, who declined to be named because he did not want to be identified criticizing his firm’s customers, said.

Apart from Barclays, the other major British banks all declined to comment on their disclosures.

The Bank of England declined to comment and the FCA did not respond to requests for comment.

KEEPING SECRETS

Companies that use external security systems also do not always inform them of attacks, the sources said.

“Our customers sometimes detect attacks but don’t tell us,” Touboul, whose firm helps protect banks’ SWIFT payment networks by luring attackers to decoy systems, said.

Hackers used the bank messaging system that helps transmit billions of dollars around the world every day to steal $81 million in one of the largest reported cyber-heists.

Targeted attacks, in which organized criminals penetrate bank systems and then lurk for months to identify and profile key executives and accounts, are becoming more common, David Ferbrache, technical director Cybersecurity at KPMG and former head of cyber and space at the UK Ministry of Defended, said.

“The lesson of the SWIFT attack is that the global banking system is heavily interconnected and dependent on the trust and security of component members, so more diligence in controls and more information sharing is vital,” Ferbrache said.

“Big banks are spending enormous amounts of money, $400-500 million a year, but there are still vulnerabilities in their supply chains and in executives’ home networks, and organized crime groups are shifting their focus accordingly,” Yuri Frayman, CEO of Los Angeles-based cyber security provider Zenedge, said.

BRAND DAMAGE

Banks are increasingly sensitive to the brand damage caused by IT failings, perceiving customers to care just as deeply about security and stable service as loan or deposit rates.

Former RBS Chief Executive Stephen Hester waived his bonus in 2012 over a failed software update which caused chaos for thousands of bank customers.

And HSBC issued multiple apologies to customers after its UK personal banking websites were shuttered by a distributed denial of service (DDoS) attack, following earlier unrelated IT glitches.

“People don’t care about a 0.1 percent interest rate change but ‘will this bank do the utmost to keep my money and information safe?'” Oerting said.

(Editing by Sinead Cruise and Alexander Smith)

‘No doubt’ Russia behind hacks on U.S. election system: senior Democrat

Vice Presidential debate in Virginia

By Dustin Volz

WASHINGTON (Reuters) – A senior Democratic lawmaker said Sunday he had “no doubt” that Russia was behind recent hacking attempts targeting state election systems, and urged the Obama administration to publicly blame Moscow for trying to undermine confidence in the Nov. 8 presidential contest.

The remarks from Representative Adam Schiff, the top Democrat on the intelligence committee in the U.S. House of Representatives, come amid heightened concerns among U.S. and state officials about the security of voting machines and databases, and unsubstantiated allegations from Republican candidate Donald Trump that the election could be “rigged.”

“I have no doubt [this is Russia]. And I don’t think the administration has any doubt,” Schiff said during an appearance on ABC’s “This Week.”

Schiff’s call to name and shame the Kremlin came a week after Trump questioned widely held conclusions made privately by the U.S. intelligence community that Russia is responsible for the hacking activity.

“It could be Russia, but it could also be China,” Trump said during a televised debate with Democratic candidate Hillary Clinton. “It also could be somebody sitting on their bed that weighs 400 pounds.”

On Saturday, Homeland Security Secretary Jeh Johnson said hackers have probed the voting systems of many U.S. states but there is no sign that they have manipulated any voting data.

Schiff said he doubted hackers could falsify vote tallies in a way to affect the election outcome. Officials and experts have said the decentralized and outdated nature of U.S. voting technology makes such hacks more unlikely.

But cyber attacks on voter registration systems could “sow discord” on election day, Schiff said. He further added that leaks of doctored emails would be difficult to disprove and could “be election altering.”

The National Security Agency, FBI and DHS all concluded weeks ago that Russian intelligence agencies conducted, directed or coordinated all the major cyberattacks on U.S. political organizations, including the Democratic National Committee, and individuals, a U.S. official who is participating in the investigations said on Sunday.

However, the official said, White House officials have resisted naming the Russians publicly because doing so could result in escalating cyberattacks, and because it is considered impossible to offer public, unclassified proof of the allegation.

Schiff and Senator Dianne Feinstein, the top Democrat on the U.S. Senate intelligence committee, said last month they had concluded Russian intelligence agencies were “making a serious and concerted effort to influence the U.S. election.”

(Reporting by Dustin Volz and John Walcott; Editing by Nick Zieminski)

Hacking group claims to offer cyber-weapons in online auction

Cyber coder

By Joseph Menn

(Reuters) – Hackers going by the name Shadow Brokers said on Monday they will auction stolen surveillance tools they say were used by a cyber group linked to the U.S. National Security Agency.

To arouse interest in the auction, the hackers released samples of programs they said could break into popular firewall software made by companies including Cisco Systems Inc, Juniper Networks Inc and Fortinet Inc.

The companies did not respond to request for comment, nor did the NSA.

Writing in imperfect English, the Shadow Brokers promised in postings on a Tumblr blog that the auctioned material would contain “cyber weapons” developed by the Equation Group, a hacking group that cyber security experts widely believe to be an arm of the NSA. [http://reut.rs/2aVA7LD]

The Shadow Brokers said the programs they will auction will be “better than Stuxnet,” a malicious computer worm widely attributed to the United States and Israel that sabotaged Iran’s nuclear program.

Reuters could not contact the Shadow Brokers or verify their assertions. Some experts who looked at the samples posted on Tumblr said they included programs that had previously been described and therefore were unlikely to cause major damage.

“The data [released so far] appears to be relatively old; some of the programs have already been known for years,” said researcher Claudio Guarnieri, and are unlikely “to cause any significant operational damage.”

Still, they appeared to be genuine tools that might work if flaws have not been addressed. After examining the code released Monday, Matt Suiche, founder of UAE-based security startup Comae Technologies, concluded they looked like “could be used.”

Other security experts warned the posting could prove to be a hoax. The group said interested parties had to send funds in advance of winning the auction via Bitcoin currency and would not get their money back if they lost.

The auction will end at an unspecified time, Shadow Brokers said, encouraging bidders to “keep bidding until we announce winner.”

(Editing by Cynthia Osterman)

Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers

Guy working with those whose accounts were hacked

By Joseph Menn and Yeganeh Torbati

SAN FRANCISCO/WASHINGTON (Reuters) – Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s <FB.O> WhatsApp, say they have similar capabilities.

Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.

Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.

Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.

Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

Iranian officials were not available to comment. Iran has in the past denied government links to hacking.

ROCKET KITTEN

The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”

Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten’s attacks were similar to ones attributed to Iran’s powerful Revolutionary Guards.

The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

The researchers said they also found evidence that the hackers took advantage of a programing interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.

“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.

Ra said Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.

Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten’s targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.

POPULAR IN THE MIDDLE EAST

Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government.

While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram “channels” and urged followers to vote ahead of Iran’s parliamentary elections in February 2016.

Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with “spying and censorship tools.” He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.

Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.

After complaints from Iranian activists, Durov wrote on Twitter in April that people in “troubled countries” should set passwords for added security.

Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.

Ra said that in those cases the recovery email had likely been hacked.

Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.

(Reporting by Joseph Menn in San Francisco and Yeganeh Torbati in Washington; Additional reporting by Michelle Nichols at the United Nations and Parisa Hafezi in Ankara; Editing by Jonathan Weber and Tiffany Wu)

U.S. theory on Democratic Party breach: Hackers meant to leave Russia’s mark

secure URL picture

By John Walcott, Joseph Menn and Mark Hosenball

WASHINGTON (Reuters) – Some U.S. intelligence officials suspect that Russian hackers who broke into Democratic Party computers may have deliberately left digital fingerprints to show Moscow is a “cyberpower” that Washington should respect.

Three officials, all speaking on condition of anonymity, said the breaches of the Democratic National Committee (DNC) were less sophisticated than other cyber intrusions that have been traced to Russian intelligence agencies or criminals.

For example, said one official, the hackers used some Cyrillic characters, worked during Russian government business hours but not on Russian religious or political holidays.”Either these guys were incredibly sloppy, in which case it’s not clear that they could have gotten as far as they did without being detected, or they wanted us to know they were Russian,” said the official.

Private sector cyber security experts agreed that the evidence clearly points to Russian hackers but dismissed the idea that they intentionally left evidence of their identities.

These experts – who said they have examined the breach in detail – said the Cyrillic characters were buried in metadata and in an error message. Other giveaways, such as a tainted Internet protocol address, also were difficult to find.

Russian hacking campaigns have traditionally been harder to track than China’s but not impossible to decipher, private sector experts said. But the Russians have become more aggressive and easier to detect in the past two years, security experts said, especially when they are trying to move quickly.

False flags have grown more common, but the government and private experts do not believe that is involved in the DNC case.

The two groups of hackers involved are adept at concealing their intrusions, said Laura Galante, head of global threat intelligence at FireEye, whose Mandiant subsidiary conducted forensic analysis of the attack and corroborated the findings of another cyber company, CrowdStrike.

Russian officials have dismissed the allegations of Moscow’s involvement as absurd. Russian Foreign Minister Sergei Lavrov, in his only response to reporters, said: “I don’t want to use four-letter words.”

EMBARRASSING EMAILS

While private cyber experts and the government were aware of the political party’s hacking months ago, embarrassing emails were leaked last weekend by the WikiLeaks anti-secrecy group just as the Democratic Party prepared to anoint Hillary Clinton as its presidential candidate for the Nov. 8 election.

DNC chairwoman, Debbie Wasserman Schultz, resigned after the leaked emails showed party leaders favoring Clinton over her rival in the campaign for the nomination, U.S. Senator Bernie Sanders of Vermont. The committee is supposed to be neutral.

The U.S. intelligence officials conceded that they had based their views on deductive reasoning and not conclusive evidence, but suggested Russia’s aim probably was much broader than simply undermining Clinton’s campaign.

They said the hack fit a pattern of Russian President Vladimir Putin pushing back on what he sees as the United States and its European allies trying to weaken Russia.

“Call it the cyber equivalent of buzzing NATO ships and planes using fighters with Russian flags on their tails,” said one official.

Two sources familiar with Democratic Party investigations into the hacking said the private email accounts of Democratic Party officials were targeted as well as servers.

They said that the FBI had advised the DNC that it was looking into the hacking of the individual officials’ private accounts. They also said the FBI also requested additional information identifying the personal email accounts of certain party officials.

The DNC hired CrowdStrike to investigate the hack. It spent about six weeks, from late April to about June 11 or 12, monitoring the systems and watching while the hackers – who they believed were Russian – operated inside the systems, one of the sources said.

What actions, if any, the Obama administration will take are unclear and could depend on what diplomatic considerations may ultimately be involved, a former White House cyber security official said.

In past cases, administration officials have decided to publicly blame North Korea and indict members of China’s military for hacking because the administration decided that the net benefit of public shaming – and increased awareness brought to cyber security – outweighed potential risks, the former official said.

But “the Russia calculation is far more difficult and precarious,” the former official said. “Russia is a much more aggressive, capable foreign actor both in the traditional military sense and in the cyber realm” and that made public attribution or covert retaliation much less likely.

The former official, and a source familiar with the Democratic Party investigations, said that they also were unaware of any U.S. intelligence clearly demonstrating that WikiLeaks had received the hacked materials directly from Russians or that WikiLeaks’ release of the materials was in any way directed by Russians.

(Reporting By John Walcott, Joseph Menn and Mark Hosenball; Additional reporting by Dustin Volz; Editing by David Rohde and Grant McCool)

Russian spies hack U.S. Democratic Party computers

A woman is silhouetted during the DNC Rules and Bylaws Committee meeting in Washington

WASHINGTON (Reuters) – Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on Republican presidential candidate Donald Trump, the Washington Post reported on Tuesday.

“The intruders so thoroughly compromised the DNC’s system they also were able to read all e-mail and chat traffic,” the paper said, citing committee officials and security experts.

Representative Debbie Wasserman Schultz, chairwoman of the Democratic National Committee, confirmed the breach.

“When we discovered the intrusion, we treated this like the serious incident it is …,” Wasserman Schultz said in a statement. “Our team moved as quickly as possible to kick out the intruders and secure our network.”

The Post quoted U.S. officials as saying Russian spies also targeted the networks of Trump and Democratic presidential candidate Hillary Clinton, as well as computers of some Republican political action committees.

It said some of the hackers had access to the Democratic National Committee network for about a year “but all were expelled over the past weekend in a major computer clean-up campaign.”

(Reporting by Susan Heavey; Writing by Mohammad Zargham; Editing by James Dalgleish)

Fed records show dozens of cybersecurity breaches

The Federal Reserve building in Washington

By Jason Lange and Dustin Volz

WASHINGTON (Reuters) – The U.S. Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage,” according to Fed records.

The central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.

The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.

The Fed declined to comment, and the redacted records do not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.

“Hacking is a major threat to the stability of the financial system. This data shows why,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. Lewis reviewed the files at the request of Reuters.

For a graphic on the Fed security breaches, see: http://tmsnrt.rs/1TxSu8R

The records represent only a slice of all cyber attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws. Reuters did not have access to reports by local cybersecurity teams at the central bank’s 12 privately owned regional branches.

The disclosure of breaches at the Fed comes at a time when cybersecurity at central banks worldwide is under scrutiny after hackers stole $81 million from a Bank Bangladesh account at the New York Fed.

Cyber thieves have targeted large financial institutions around the world, including America’s largest bank JPMorgan, as well as smaller players like Ecuador’s Banco del Austro and Vietnam’s Tien Phong Bank.

Hacking attempts were cited in 140 of the 310 reports provided by the Fed’s board. In some reports, the incidents were not classified in any way.

In eight information breaches between 2011 and 2013 – a time when the Fed’s trading desk was buying massive amounts of bonds – Fed staff wrote that the cases involved “malicious code,” referring to software used by hackers.

Four hacking incidents in 2012 were considered acts of “espionage,” according to the records. Information was disclosed in at least two of those incidents, according to the records. In the other two incidents, the records did not indicate whether there was a breach.

In all, the Fed’s national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of “information disclosure” involving the Fed’s board. Separate reports showed a local team at the board registered four such incidents.

The cases of information disclosure can refer to a range of ways unauthorized people see Fed information, from hacking attacks to Fed emails sent to the wrong recipients, according to two former Fed cybersecurity staffers who spoke on condition of anonymity.

The former employees said that cyber attacks on the Fed are about as common as at other large financial institutions.

It was unclear if the espionage incidents involved foreign governments, as has been suspected in some hacks of federal agencies. Beginning in 2014, for instance, hackers stole more than 21 million background check records from the federal Office of Personnel Management, and U.S. officials attributed the breach to the Chinese government, an accusation denied by Beijing.

TARGET FOR SPYING

Security analysts said foreign governments could stand to gain from inside Fed information. China and Russia, for instance, are major players in the $13.8 trillion federal debt market where Fed policy plays a big role in setting interest rates.

“Obviously that makes it a very clear (hacking) target for other nation states,” said Ari Schwartz, a former top cybersecurity adviser at the White House who is now with the law firm Venable.

U.S. prosecutors in March accused hackers associated with Iran’s government of attacking dozens of U.S. banks.

In the records obtained by Reuters, espionage might also refer to spying by private companies, or even individuals such British activist Lauri Love, who is accused of infiltrating a server at a regional Fed branch in October 2012. Love stole names, e-mail addresses, and phone numbers of Fed computer system users, according to a federal indictment.

The redacted reports obtained by Reuters do not mention Love or any other hacker by name.

The records point to breaches during a sensitive period for the Fed, which was ramping up aid for the struggling U.S. economy by buying massive quantities of U.S. government debt and mortgage-backed securities.

In 2010 and 2011, the Fed went on a $600 billion bond-buying spree that lowered interest rates and made bonds more expensive. It restarted purchases in September 2012 and expanded them up in December of that year.

The Fed cybersecurity records did not indicate whether hackers accessed sensitive information on the timing or amounts of bond purchases or used it for financial gain.

UP ALL NIGHT

The Fed’s national cybersecurity team – the National Incident Response Team, or NIRT – created 263 of the incident reports obtained by Reuters.

NIRT operates in a fortress-like building in East Rutherford, New Jersey that also processes millions of dollars in cash everyday as part of the central bank’s duty to keep the financial system running, according to the New York Fed’s website. The unit provides support to the local cybersecurity teams at the Fed’s Board and regional banks, which process more than $3 trillion in payments every day.

The NIRT handles “higher impact” cases, according to a 2013 report by the Board of Governor’s Office of Inspector General.

One of the two former NIRT employees interviewed by Reuters described being on a team that once worked around the clock for five-straight days to patch software hackers had used to gain access to Fed systems in an attempt to obtain passwords. The former employee worked through several of those nights, taking naps at a desk in the office.

In that case, Fed security staff found no signs that sensitive information had been disclosed, the former employee said. Information about future interest rate policy discussions is isolated from other Fed networks and is more difficult for hackers to access, the former NIRT worker said.

But the Fed was under constant assault, much like any large company, the former employee said, and was “compromised frequently.”

An internal watchdog has criticized the central bank for cybersecurity shortcomings. A 2015 audit by the Fed board’s Office of Inspector General found the board was not adequately scanning databases for vulnerabilities or putting enough restrictions on system access.

“There is heightened risk of unauthorized disclosure and inappropriate use of sensitive board information,” according to the audit released in November.

(Reporting by Jason Lange and Dustin Volz; Editing by David Chance and Brian Thevenot)