Slashdot Mirror

← Back to Stories (view on slashdot.org)

Citibank Denies Reported Breach Linked To Russian Gang

Posted by kdawson on from the no-russians-in-here-no-siree dept.

alphadogg writes "US authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by criminals using Russian software tailored for the attack, according to the Wall Street Journal (subscription required to access that link — CNET's coverage here). The security breach at the major US bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, the WSJ reported today, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography, and spam. The FBI is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company denied any system breach or losses, according to the report."

53 comments

  1. Paywalls suck by TSHTF · · Score: 5, Informative

    Article is behind a paywall. Search for it with Google News, and the WSJ will let you read it all.

    1. Re:Paywalls suck by DarkTempes · · Score: 2, Informative

      Looks like it checks for a Referer: with http:// and google anywhere in the domain name as long as it's before another forward slash. Referer: http://notgoogle.com and http://not.comgoogle works but http://not.com/google doesn't.

      Anyway, for those of us who disable referers from headers the google news method won't work either ;)

  2. WSJ article was misleading by plover · · Score: 5, Insightful

    The reporter was trying to link a bunch of separate things together.

    1. Black Energy conducted a DDoS against Citibank, but did not steal tens of millions of dollars from them.

    2. Last year, Citi lost tens of millions of dollars from skimmers attached to ATMs.

    3. The hacker Cr4sh is the author of Black Energy, but there is no evidence he was involved in the attack on Citi.

    There is nothing relating these three incidents other than the wishes of an aggressive reporter wanting to build some kind of story against City; *perhaps* he's trying to pump up a case to make it appear they are risking bailout money. But at least when I type this kind of crap I'm labeling it for what it is: PURE SPECULATION.

    --
    John
    1. Re:WSJ article was misleading by Anonymous Coward · · Score: 5, Insightful

      The thing the banks really don't talk about is that losses from in-house embezzlers far exceed losses form outside agents. And of course we won't speak of the enormous losses caused by management greed and stupidity.

    2. Re:WSJ article was misleading by Alwin+Henseler · · Score: 4, Insightful

      2. Last year, Citi lost tens of millions of dollars from skimmers attached to ATMs.

      2. Last year, Citi customers lost tens of millions of dollars from skimmers attached to ATMs.

      (emphasis mine)
      Not individually, but as a group customers always pay the bill for incompetent management / inadequate security.

    3. Re:WSJ article was misleading by Pinky's+Brain · · Score: 2, Insightful

      How exactly would it recoup it's losses from customers? By lowering it's interest rates? If it could increase profits by doing that they would already have done so.

      Directly only the investors lose out.

    4. Re:WSJ article was misleading by plover · · Score: 2, Insightful

      The thing the banks really don't talk about is that losses from in-house embezzlers far exceed losses form outside agents.

      Really? Have you recent facts to back that claim up? It may have been true in the 1950s, but is it still true in today's world, where a hacker can gain essentially "insider" authority?

      And of course we won't speak of the enormous losses caused by management greed and stupidity.

      There's an assertion I don't have to ask you to back up, as it's been pretty well covered in the press. But there's a lot of greed and stupidity going around, and some of it comes from the shareholders, Congress, lawyers, etc. It's not just limited to management.

      --
      John
    5. Re:WSJ article was misleading by el_tedward · · Score: 1

      Verizon publishes a really interesting (downloads pdf) study on breaches every so often. While things are probably much different when it comes to actual banks, it mentions that 80% or so of the 'data' lost in breaches is actually coming from outsiders now a days.

      Insiders still have the largest breaches, but the sheer number of outside breaches are dominating the current trends.

    6. Re:WSJ article was misleading by FooAtWFU · · Score: 2, Insightful
      For the bigwigs: Why embezzle when you can go legit and get the board to pay you snazzy seven-figure bonuses for your continued, valuable contributions to the company's bottom line? I don't think taking that sort of a gamble is consistent with your probable risk profile. Maybe if you're Bernie Maddoff and your firm has lost a ton of money and are too attached to your career and terrified of professional embarrassment or something, but even that's more outright fraud than embezzlement.

      For the medium-wigs: Just how much do you think you could get away with embezzling? You probably don't have *that* great of access to funds. And do you really think the bigwigs don't have people watching you pretty carefully when you're trying to make off with company money?

      For the not-so-big-wigs: Do you even have access to embezzling money?

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    7. Re:WSJ article was misleading by oasisbob · · Score: 1

      Really? Have you recent facts to back that claim up? It may have been true in the 1950s, but is it still true in today's world, where a hacker can gain essentially "insider" authority?

      It's true, and still truer than ever. Insider losses are on the rise,

      The difference between insider attacks and outsider attacks are much different than what an outsider obtains through cracking and privilege escalation. Just because you own a system (or all of them), doesn't mean you can do what an insider can.

      An insider attack at a financial institution normally involves a misuse of funds, embezzlement, unauthorized wire activity, etc. The attacks are stealthy. A bank keeps their finances through hundreds of ledger accounts, and rely on internal controls to keep everything straight. As anyone who works inside an organization knows, it's this insider knowledge which allows cracks in the internal controls to be found. Find the cracks and a way to manipulate the money's path through ledger accounts, and insider attacks become complex (and maybe hard to find) very quickly.

      Hell, (I wish I could find a link), an employee at an institution was caught selling fake investments recently. They would sell the phony securities to other institutions (in their employer's name), and embezzle that money that came in. It went on for a while: That's what an insider can do.

      This is why bank employees/officers need to take mandatory uninterrupted vacations: if you're gone for two weeks, you can't keep your thumb on the scale anymore.

      Insider attacks are much different than outsider attacks.

    8. Re:WSJ article was misleading by Anonymous Coward · · Score: 1, Interesting

      Oh really? Then why did Citibank issue me a replacement card with a completely new number in August?

      * Posted Anonymously on purpose.

    9. Re:WSJ article was misleading by hesaigo999ca · · Score: 1

      I think he meant they raise the service prices to cover the difference per transaction, so instead of costing you 1.50$ each time you use your card to access your own money, they now charge you 1.75$
      Pretty simple really.

  3. In other news... by tyroneking · · Score: 4, Interesting

    ... the US and UK public are asking for an investigation into the apparent transfer of billions of dollars of public money to major banks. No-one is probing the case and yet the govt and banks are not denying any breach of the political and economic systems.

  4. Citibank != Russian Gang ? by PolygamousRanchKid+ · · Score: 4, Interesting

    I honestly thought they were one and the same.

    Maybe someone can enumerate for me, the differences between Citibank and a Russian Gang . . .

    Rips off governments for millions . . . check

    Rips off people for millions . . . check

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:Citibank != Russian Gang ? by _merlin · · Score: 2, Insightful

      Speak with awesome hardarse Russian gangster accents ... fail

    2. Re:Citibank != Russian Gang ? by lorenlal · · Score: 1

      Just in case folks need a citation for the above

    3. Re:Citibank != Russian Gang ? by Anonymous Coward · · Score: 0

      You can bargain with a russian gang...

  5. Drop in the bucket by FrameRotBlues · · Score: 1

    This site says Citigroup received 50 billion from the Fed. The little bit that was stolen is just a drop in the bucket. Dillenger probably did better percentage-wise in the 1930's with a gun and some balls.

  6. Uhm,,hello? Mc Fly? by Anonymous Coward · · Score: 0

    If as Citibank claims "no losses happened" then how come there was 'tens of millions of dollars' missing? What am I missing here?

    1. Re:Uhm,,hello? Mc Fly? by lorenlal · · Score: 1

      That's rounding error from the whole fallout from those silly little "off-balance-sheet" activities they were running with up until about a year ago. I mean, you can only get *so* accurate when dealing with numbers like those.

    2. Re:Uhm,,hello? Mc Fly? by JackieBrown · · Score: 1

      They probably missed a decimal point. I hear that type of error is common.

  7. Use the chinese software instead by MichaelSmith · · Score: 2, Informative

    The Kuang Grade Mark Eleven Penetration Program is the way to go. But you need a live person at the controls. Not a flatline, because Neuromancer knows his every move in advance.

    --
    http://michaelsmith.id.au
    1. Re:Use the chinese software instead by Gilmoure · · Score: 2, Informative

      Yeah, but not if you're running it on a Ono-Sendai 6 with just tactile feed back. You need full emersion to do it right.

      --
      I drank what? -- Socrates
  8. Cash loss is better than trust lost by assemblerex · · Score: 5, Insightful

    Cash is replenishable, trust is not as it has to be earned.

  9. No audits, please! by Anonymous Coward · · Score: 1, Interesting

    Admitting to the theft would probably trigger in-depth audits and increased scrutiny of Citibank operations. THAT might be very, very bad for Citibank.

    Let's just handle it on a modified mark-to-market basis. The money used to be here, and if it was still here we wouldn't have lost anything.

    If you prefer QM, think of it as Shrodinger's cat - of course, he's still alive - no need to look in that box.

    It ain't funny, McGee!

    1. Re:No audits, please! by Sulphur · · Score: 1

      The momentum and position of the bucks cannot be known simultaneously to any useful precision. Heisenberg

      I for one welcome our new Quantum Economical overlords.

  10. Denial seems to be in this year by HangingChad · · Score: 2, Insightful

    Citibank representative said the company denied any system breach or losses, according to the report.

    My web host provider *cough*inmotion*cough* got hacked a couple months ago and they denied it across the board, tried to turn it back on the users by claiming all the accesses were routine FTP connections.

    Makes me wonder if denial is the new trend?

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:Denial seems to be in this year by Anonymous Coward · · Score: 0

      Not new. See Genesis 3:12.

    2. Re:Denial seems to be in this year by hesaigo999ca · · Score: 1

      Best way to deal with this, is host your own site.

  11. Great points, plover! by sgt_doom · · Score: 4, Informative

    And speaking of PURE SPECULATION, which is what Citi does through it's energy/oil speculating subsidiary, Phibro, everyone knows Citi pissed away all their money by their purchase of all those credit default swaps and other categories of credit derivatives; thereby giving those enormous fortunes to the Robert Rubin family (and the others who are now members of the George W. Obama Administration.....)

  12. Wall Street Journal - lousy reporting at its best by securaty · · Score: 3, Informative

    I read WSJ article and I had to chuckle. What a poor excuse for a story. It doesn't sound like anyone targeted Citibank. They are one of dozens of other banks who were victimized by a gang of Ukrainian (NOT Russian) criminals. As far as I know, hundreds of small and medium business have been vandalized by the same gang on individuals targeting individual systems with malware. Brian Krebs from Washington Post covered this months ago. WSJ story is a bad knock off without facts and originality.

  13. Re:Wall Street Journal - lousy reporting at its be by Jeremy+Erwin · · Score: 2, Informative

    Brian Krebs from Washington Post covered this months ago
    On slashdot, it's considered polite to use the anchor tag.

  14. Can the FBI/CIA actually do anything about it? by HockeyPuck · · Score: 3, Interesting

    Let's say it actually was a "Russian Gang" operating out of say, Russia. What can US Gov't agencies do against this? Can they do anything within the law besides call up Russia and tell them to 'take care of it.' It's not like we can drop commandos into Russia and go after them, nor can we launch electronic attacks on this gang (act of futility).

    According to the US Constitution, Section 8, Congress has the power to provide for the common Defense and general Welfare of the United States.

    I see this type of activity as an attack, just because it's two private entities, this IMHO is no different than if SAP tried to hack into Oracle.

    Hey Fed, I'm sick of US companies wasting time, money and effort to deal with these people bent on conducting electronic warfare.

    As a side note, I wonder how much $$ is wasted in terms of extra capacity (servers, network, CPU, power) is needed by US companies to deal with all this BS (spam, people hacking in etc..) floating around the internet.

    I once heard a presentation by a guy at Yahoo who managed a few of their datacenters. When asked about how they deal with DOS attacks his response was that they had more computing capacity then the internet could deliver to them, so they just absorb whatever attacks are sent their way.

    1. Re:Can the FBI/CIA actually do anything about it? by Anonymous Coward · · Score: 0

      I don't think there's really all that much more for the FBI/CIA to do than anyone else who is trying to defend a network. Of course, they're going to have more resources than most people, and they actually have the diplomatic ties to call whatever justice system there is in Russia that might consider going after these guys. But, when it comes to aggressively going after people like those in the RBN, there also comes along the whole bureaucratic mess of trying to play nice with the laws of a country who you're apparently playing hackedy hack-back with anyways.

      The best thing for the feds to be doing is to work with the banks and other critical systems & infrastructure so they can build and maintain "secure" networks. People like those at the NSA are going to have the most expertise with this.. they're the "state sponsored" l33t hacker guys, and they are the ones who better be doing their best to be working with our countries most important networks.

    2. Re:Can the FBI/CIA actually do anything about it? by duck99 · · Score: 1

      wow @yahoo thats epic

    3. Re:Can the FBI/CIA actually do anything about it? by Anonymous Coward · · Score: 0

      This of course would be the usual security after thought and not functional until after DDOS'd by Mafiaboy right?

    4. Re:Can the FBI/CIA actually do anything about it? by witherstaff · · Score: 2, Insightful

      Since when has congress cared about that old thing called the constitution? It sure hasn't stopped them with health care "reform".

    5. Re:Can the FBI/CIA actually do anything about it? by JackieBrown · · Score: 1

      they actually have the diplomatic ties to call whatever justice system there is in Russia that might consider going after these guys

      There is a justice system in Russia?

  15. In related news... by straponego · · Score: 1

    Last year Citi sent me a new card, because they said they'd lost three million credit card numbers to thieves. Well, they claimed it was a merchant, but since they wouldn't reveal who it was so that I could cease doing business with them, clearly Citibank is assuming full responsibility.

  16. How do these attacks work? by beachdog · · Score: 2, Interesting

    So what is the attack system used to get "tens of millions of dollars"?

    Do they collect 10,000 user names and passwords from personal computer users?

    Do they somehow take over a merchant deposit account and transfer funds out of it?

    Do they emulate a bank-to-bank transaction and modify the bank-to-bank back end transaction?

    1. Re:How do these attacks work? by psithurism · · Score: 1

      So what is the attack system used to get "tens of millions of dollars"?

      The article ties together many attacks.

      Do they collect 10,000 user names and passwords from personal computer users?

      One of the attacks was (skimming atm cards)

      Do they somehow take over a merchant deposit account and transfer funds out of it?

      One was, by apparently key logging.

      Do they emulate a bank-to-bank transaction and modify the bank-to-bank back end transaction?

      Maybe, doesn't seem to be reported in the article.

      I was gonna say something witty about RTFA but I find getting my questions out of commentators is easier as well.

  17. Re:WSJ article was misleading (Flavour mix) by Storchei · · Score: 1
    http://online.wsj.com/article/SB126145280820801177.html
    They wouldn't find an elephant in a two-meter square room.
    It seems they're hiding info, self interests implicated maybe?

    Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses."

    Apparently those tens of millions of dollars would have been on holiday somewhere around Cayman Islands, hehehe!

    On the other hand, I've found no mention in WSJ article to child pornography. Where did that come from? It only rests to say these thieves are terrorists and are supposed to be linked to al-qaeda.

    Losses to online crime of all types exceeded $260 million in the U.S. last year, the FBI estimates.

    At least is much less than the amount that was paid to rescue US banks during the last crisis by US people.

  18. Obligatory by Anonymous Coward · · Score: 1, Funny

    "Not just another security collapse...

    It's Citibank security collapse."

  19. What a kewl way to embezzle! by ibsteve2u · · Score: 1

    The Russians did it! The Russians did it!

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  20. Re:Paywalls suck (READ IT HERE FREE!) by Anonymous Coward · · Score: 0

    The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

    The attack took aim at Citigroup's Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn't be learned whether the thieves gained access to Citibank's systems directly or through third parties.

    The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

    The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment.

    Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses." He added later: "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

    Citigroup is currently 27%-owned by the federal government.

    The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

    Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

    Last month, a federal indictment in Atlanta named eight alleged Russian and Eastern European hackers, most still at large, who prosecutors say broke into a U.S. unit of Royal Bank of Scotland in 2008 and stole $9 million from ATMs in 280 cities world-wide in a matter of hours. RBS cooperated with investigators and ensured that its customers were reimbursed.

    Losses to online crime of all types exceeded $260 million in the U.S. last year, the FBI estimates. Attacks on corporations are "at an epidemic level," former White House cyber-security director Melissa Hathaway said recently.

    U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank's largest depositors. Citibank said at the time that it was able to recover most of the money and that the attack didn't put customer funds at risk.

    The new attack targeting Citibank highlights the growing sophistication and threat posed by overseas criminal networks. "There were a couple of days of struggling," said one person familiar with the attack. "There were some sophisticated elements that made it hard to block."

    Among weapons the hackers used, according to people familiar with the case, was a small army of infected computers commanded by software called Black Energy. Hackers use Black Energy primarily to block access to Web sites. Somebody used it during Russia's brief 2008 war with Georgia to shut down Georgian government and bank Web sites. Someone also used it in 2007 to block government and bank Web sites in Estonia and to attack the Web site of a political foe of Vladimir Putin, then Russia's president and now its prime minister.

    Black Energy was w

  21. Gotta love the doublespeak by Weaselmancer · · Score: 3, Funny

    The FBI is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company denied any system breach or losses, according to the report.

    There was no system breach! And the money was probably recovered anyways!

    --
    Weaselmancer
    rediculous.
  22. Story smells of Occult practices by j0ebaker · · Score: 1

    I find it interesting that the attribute 5 things to this "Russian"
    business network.

    5 is an occult power number for encumbering the help of Gnosticism's 5
    dark evil demi-urges that are accredited with creating this world.

    The bankers are masters of deception and occult hand waving. Who else
    could conjure up money out of thin air for you to buy your house with
    and then enslave you to pay the sum back times 3? May the bankers be
    fully exposed and bear the shame and may they seek our forgiveness on
    their knees. May we never, ever be deceived financially by the
    Knights of Malta, the Masons, The Catholic Church or any other secret
    society / religion which seeks to control our minds with occult
    practices to enslave us.

    Ah, that felt good to get off my chest.

    - -Joey

  23. Bloody Wan err Bankers by Anonymous Coward · · Score: 0

    1)No breach? Like they'd tell us the truth anyways
    2) Cause Chaos in the banking system? - they can do that perfectly well themselves.
    3) No money lost? well you managed to lose over 60 billion alone last year so forgive me if I dont trust your record so far.
    4) ?

    5) Profit - claim the insurance for the stolen funds from the Government.

  24. Re:interesting.... by Anonymous Coward · · Score: 0

    What's wrong with rabbit pellets?