Forced to come clean on breaches against the U.S. Federal Reserve, the Fed on Wednesday revealed the agency that drives financial markets around the world has been breached as many as 50 times in the past five years.
As part of a Freedom of Information Act request by the Reuters news agency, the public is learning for the first time how the government agency has scrambled to fight a constant barrage of attacks.
The Feds revealed to Reuters in its report that the Federal Reserve counted 310 incidents, with 140 of them cited as hacking attempts. The incidents cited in the report range from 2011 and 2015 and come from one of several Federal Reserve agencies called the Washington-based Board of Governors.
Of the 310 reported incidents, 81 involved malicious code, 54 were tied to unauthorized access and 32 had to do with information disclosure, according to Reuters data pulled from incident reports supplied by the Board of Governors.
Some of the incidents could have included someone simply sending an email by accident to the wrong recipient, according Reuters reporter Jason Lange. Lange reported that the documents were highly redacted and limited in scope and did not include incidents impacting the Federal Reserve’s 12 other privately owned regional branches.
For at least four instances of hacking, the records released to Reuters indicated that the Feds classified them as espionage. Two of those four cases of espionage actually involved information being disclosed, Reuters reported. The records released to Reuters did not indicate the nature of the data released.
“In all, the Fed’s national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of ‘information disclosure’ involving the Fed’s board,” Reuters wrote.
Security experts are not surprised and said the Fed’s track record on breaches are higher than that of private financial institutions. Worse, security experts say, as the Freedom of Information Act requests illustrates, the Feds are less likely to reveal details of such breaches.
“If you’re Bank of America you are compelled by law to reveal any such security breaches. Those rules are there to instill trust and confidence in our financial system. No such requirements are placed on the Federal Reserve and that’s to the public’s detriment,” said Tom Kellermann, CEO of Strategic Cyber Ventures and former member of World Bank’s security team.
The attacks, Kellermann said, are part of a larger disclosure made by the federal government in February. That’s when the FBI issued a bulletin that a group named APT 6 hacked into U.S. government computer systems as far back as 2011 and for years stole sensitive data.
At the time of the bulletin, the FBI was mum on the details regarding the actual attack and which government systems were infected. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically was behind the attacks.
Reuters’ document request was not much more successful when it comes to determining who stole what, how much and when.
Kellermann said he doubts that hackers were targeting the Federal Reserve for a smash and grab of money, as was the case involving hackers that stole $81 million from a Bangladesh Bank account via a fraudulent transactions from a bank’s Federal Reserve Bank of New York account.
“Hackers are getting smart and are more interested in getting insider information so they can front-run the United States government as it relates to macro strategic moves,” Kellermann said.
“Can you make more money stealing $20 million from a financial institution or by knowing in advance that a major financial institution is going to invest $10 billion into the Swiss franc tomorrow? If you were to go long on the Swiss franc you would reap the benefits of the dramatic increase in the value of the currency. And we are talking way more that $20 million.”
Kellermann said expect more hacks of financial institutions. Driving those breaches are large gaps in the security of financial institutions. “These gaps are exploited because the cyber vault has not evolved with the threat landscape. The security architecture of the U.S. financial system must evolve in order to combat these modern-day Dillinger gangs,” he said.