Russian Hackers Steal Tens of Millions from Citibank
By Siobhan Gorman and Evan Perez
The same day President Obama made Howard Schmidt his Cyber Czar, Russian hackers breached Citibank’s secure computers and stole tens of millions of dollars.
The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.
The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.
The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.
The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.
Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”
The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.
Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.
Last month, a federal indictment in Atlanta named eight alleged Russian and Eastern European hackers, most still at large, who prosecutors say broke into a U.S. unit of Royal Bank of Scotland in 2008 and stole $9 million from ATMs in 280 cities world-wide in a matter of hours. RBS cooperated with investigators and ensured that its customers were reimbursed.
Losses to online crime of all types exceeded $260 million in the U.S. last year, the FBI estimates. Attacks on corporations are “at an epidemic level,” former White House cyber-security director Melissa Hathaway said recently.
U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank’s largest depositors. Citibank said at the time that it was able to recover most of the money and that the attack didn’t put customer funds at risk.
The new attack targeting Citibank highlights the growing sophistication and threat posed by overseas criminal networks. “There were a couple of days of struggling,” said one person familiar with the attack. “There were some sophisticated elements that made it hard to block.”
Among weapons the hackers used, according to people familiar with the case, was a small army of infected computers commanded by software called Black Energy. Hackers use Black Energy primarily to block access to Web sites. Somebody used it during Russia’s brief 2008 war with Georgia to shut down Georgian government and bank Web sites. Someone also used it in 2007 to block government and bank Web sites in Estonia and to attack the Web site of a political foe of Vladimir Putin, then Russia’s president and now its prime minister.
Black Energy was written by a Russian hacker who goes by the name Cr4sh, said Joe Stewart, a researcher for SecureWorks, a computer-security company. The software sells online for $40, according to Jose Nazario, a manager at Arbor Networks, which analyzes computer threats.
Black Energy can be upgraded to invade computer systems and snatch data. DigitalStakeout, a firm that monitors cyber attacks, found in April that Black Energy was being used with a tool that steals bank-account log-on information. The combination was being sold online for $700 as a package called the YES Exploit System, said DigitalStakeout’s chief executive, Adam Mikrut.
Over the summer, Mr. Stewart said, he discovered that Cr4sh had developed a new version of Black Energy with an added feature that steals banking credentials. In the Citi attack, the software included a tailor-made feature designed to attack the bank, according to two people familiar with the incursion. The thieves stole an estimated tens of millions of dollars, according to three people familiar with the matter. It remains under investigation, and whether any of the money has been recovered couldn’t be learned.
The migration of payments to the Internet, in combination with new bank systems that settle transactions the same day, “has enabled bank heists to occur in seconds from thousands of miles away,” said Tom Kellermann, a former World Bank cyber-security official and now an executive at Core Security Technologies.
Robert Blanchard, co-owner of Bridge Metal Industries, a lighting company in Mount Vernon, N.Y., can attest to that.
At 3 a.m. on July 6, Mr. Blanchard tried to log on to his company’s Citibank account but couldn’t do so with his regular password and token code. He says he called Citibank and was told it would change his password and send him a new one by overnight mail. “I thought at that point I was safe,” he says.
But he still couldn’t get in. By the time he called his local bank branch to sort out the problem, he says, online thieves had sent $1,007,655 to banks in Latvia and Ukraine. “Even the bank can’t act as quickly as these guys,” Mr. Blanchard says.
It isn’t clear whether the incident was part of the larger attack on Citibank.
Investigators discovered that a computer at Mr. Blanchard’s lighting company had been infected by a computer at another company he co-owns. That one then dragooned his lighting-company computer into a group of computers used to attack others — the same modus operandi as Black Energy’s.
The software loaded on one of Mr. Blanchard’s computers included a spyware program that logged the keystrokes he typed and could capture the data he used to sign on to his bank account, he says. He adds that after days of prodding, Citibank sleuths began working to help him recover $810,855 from the Latvian bank, and Citibank then gave him the remainder.
Asked about the Blanchard case, Citigroup said: “While we do not discuss customer details, the individual case described was an isolated incident of fraud. Consistent with legal requirements, our customers are not liable for any unauthorized use of their accounts.”
—David Enrich contributed to this article.