Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:39 PM
Connect Directly

Report: FBI Probes Citigroup Breach

Federal officials say they are investigating loss of tens of millions of dollars; Citigroup says there was no breach or loss

Citigroup reportedly was hit by a major breach with ties to a Russian cybercriminal organization, but the financial institution denies any breach or monetary losses.

A Wall Street Journal article today reported the FBI was investigating the loss of tens of millions of dollars in a breach that may have spanned several months to a year. Sources in the article said the attack may have ties to the infamous Russian Business Network, which all but disappeared from the radar screen during the past couple of years.

But Citigroup, whose Citibank subsidiary was the victim of the attack, says the attack didn't happen, nor is there any FBI investigation. Joe Petro, managing director of Citigroup's security and investigative services, told the Journal: "We had no breach of the system and there were no losses, no customer losses, no bank losses."

It's unclear just how the attackers may have gotten access to Citibank's systems, but the report says the attackers used the so-called Black Energy botnet as one weapon. The Black Energy malware can be used to break into a system and steal data.

Michael Graven, a director at Mandiant, says the attack on Citigroup appears to be consistent with the attacks his firm has seen with Eastern European gangs during the years. "These [sophisticated] intruders understand their target, how it does business, and how its business systems are organized," Graven says.

"In banking, they understand how a banking system works, the ATM infrastructure, and how money moves through their target so they can get at it. They are hackers and they are bank thieves."

Meanwhile, security experts say the discrepancy between the report and Citibank's denial raises other questions.

"I understand why Citigroup doesn't want to talk about cyber security. Back in 2007 and 2008, their systems were tied to a major ATM heist connected with a Website breach at 7-Eleven convenience stores. Given the economic fallout from those events, it's no surprise they are going to be extremely cautious about anything to do with security," said Andrew Storms, director of security operations for nCircle, in a statement. "Still, this whole story smells pretty funny. Citigroup denies all allegations of a breach but the FBI won't comment? That's a pretty glaring inconsistency."

The federal government holds a 27 percent stake in Citigroup, which has more then $45 billion in TARP funds, Storms pointed out. "Given that the federal government is one of Citi's largest shareholders with a 27 percent stake, and that Citi still has over $45 billion in TARP funds, you have to wonder if there isn't some other triage being done here that has more to do with Citi's battered stock price than fair disclosure," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-21
An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The faad_resetbits function in libfaad/bits.c is affected by a buffer overflow vulnerability. The number of bits to be read is determined by ld->buffer_size - words*4, cast to uint32. If ld->buffer_size - words*4 is ne...
PUBLISHED: 2019-08-21
An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
PUBLISHED: 2019-08-21
An issue was discovered in ACDSee Photo Studio Standard 22.1 Build 1159. There is a User Mode Write AV starting at IDE_ACDStd!IEP_ShowPlugInDialog+0x000000000023d060.
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...