Anonymous Hacks the Federal Reserve
The Federal Reserve admitted Tuesday that it was hacked Sunday following claims from hacktivist group Anonymous that it had successfully breached the Fed’s security systems.
Hackers accessed a Fed internal server and broke into the database of the St. Louis Fed Emergency Communications System, an emergency communications system that delivers important messages to banks during natural disasters.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a Fed spokeswoman told Reuters. “Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system.”
The Fed notified affected users with a letter later obtained by ZDNet and Reuters. In the letter the Fed acknowledges the attack and identifies the types of sensitive information obtained, but it claims passwords were not compromised — even though hashed passwords can potentially be decrypted. As a measure of precaution, every member’s password has been reset.
The first reports of a possible attack started circulating on Sunday after the hacktivist group Anonymous claimed they had hacked a website connected to the Fed. It later posted online names and private information of more than 4,000 U.S. bankers, as first reported by ZDnet.
The Fed did not confirm the identify of the hackers.
Anonymous’ claimed attack is the latest from the so-called Operation Last Resort, a campaign the group launched to avenge Aaron Swartz’s death.
Anonymous posted the information it claimed to obtain from the Fed on a separate government website and on Pastebin. The spreadsheet contained usernames, IP addresses, names, emails, phone numbers and hashed passwords of bankers who had shared their contact information with the ECS.
According to a security and privacy expert the risk now is that malicious hackers will use the private information dumped on the Internet to orchestrate social engineering attacks or targeted phishing emails, tricking the targets to submit even more personal and sensitive information.
“Having identity and contact information for bank executives allows an attacker to craft targeted phishing campaigns for these individuals,” explains Ashkan Soltani in an email. “Ultimately,the weakest link in security are humans. ‘Social engineering’ is typically much easier than trying to attack a bank from the outside. A ‘forged’ email from a service you use that contains your home address or contact information would be slightly more credible than a generic one since it contains what you perceive as ‘private information’ that only a trusted party would have (exploiting your social ties).”
Anonymous has made threats to the Federal Reserve before in 2011 demanding that Federal Reserve Chairman Ben Bernanke Resign.
Image courtesy of Flickr, wwarby.