18
May 15

St. Louis Federal Reserve Suffers DNS Breach

The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office.

fedstlouisThe communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location.

The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the┬áSt. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”

Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator.

The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”

The statement continues:

“These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password.

The St. Louis Fed’s website itself was not compromised.

“Out of an abundance of caution, we wanted to alert you to this issue, and also make you aware that the next time you log into your user account, you will be asked to change your password. In addition, in the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet. Click https://research.stlouisfed.org/useraccount/forgotpassword/step1 to change your user account password now.”

According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data.

FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports.

According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED.

ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history.

The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois.

No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available.

Tags: , , , , , ,

44 comments

  1. Invalid Username

    So, this doesn’t affect me? Good.

  2. I received this e-mail from the St. Louis Fed this morning. It is important to note that the e-mail references sites that contain data used by macroeconomists and researchers. There was no indication in the e-mail that any banking transaction information was compromised.

    Having said that, the usual warnings about userids and passwords that are shared apply.

  3. Another Lurker

    It is not clear to me why the hackers were going after those websites. They only disseminate public information and there is literally nothing secret to be found there. A great public service by the Fed, by the way.

    I suspect this is rather a situation of the name registrar getting hacked, or DNS servers getting hacked, and many more sites should have been compromised. The Fed is just the first (or only) one to react.

    • > They only disseminate public information

      There may be value to be gained by manipulating the information in some way, and effectively creating a mass disinformation scheme.

    • Credentials it looks like.

    • This could well be a watering hole attack

      By diverting traffic to an attack site the adversary could do more than simple phishing-esque web form credential capture. The page could host exploit packs that scan the visitor’s browser for exploitable software (outdated browser or flash, silverlight, java, etc. plugins) and deliver attacks to implant malware on the victim’s system

  4. firewall broken

    the routers of the Federal Reserve States are weak to protected against peer to peer attack

  5. Robert Scroggins

    Looks to me like there is a Chinese footprint here. They use “death by a thousand cuts” at affiliates/contractors/etc. to eventually compromise their true target–starting at lower levels.

    Regards,

  6. Another Lurker

    And I should add: I am no banker, but I got the email. These websites have nothing to do with banking operations, so I doubt the emails were sent to district bankers, as stated in your first sentence.

    And Fed staff does not receive email under that domain, as far as I know. Thus email should be safe, too.

  7. The Federal Researve is just a huge government ponzi scheme

  8. “…redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers…”

    The Federal Reserve is not a government entity. Just because the word “federal” is in their name doesn’t make them any more part of the government than Federal Express.

    The domains ARE NOT run by the government. They are .org TLDs.

    As far as the intent of these attacks… I don’t see any reason why anybody would want to, since there is absolutely “nothing” to gain from it, or anything connected to it.

    • columbus_viaLA

      “The Federal Reserve is not a government entity.”

      Seriously?

      Boy, do I have great deals for you on New York bridges and prime Florida swampland!

      “(no) more part of the government than Federal Express.”

      I’d sooner have government by Federal Express than the one we have.

        • columbus_viaLA

          Oh, so the United States Ninth Circus Court of Appeals says otherwise, so that a productive US citizen can be screwed twice–“within the meaning of the Act”–by his government.

          I am soooo refuted!

          Meanwhile, let me know if you are interested in those real estate deals.

          • Exactly. Nobody is going to change any minds, here, though.

            Not interested in owning and more real estate, either. Thanks. I’m still paying rent to the government for what I do own, free and clear, already.

            Sort of like the interest that the Federal government is paying to the Federal Reserve to “borrow” money… it’ll never end.

            • Maybe you should read this:
              http://en.wikipedia.org/wiki/Federal_reserve

              “The U.S. Government receives all of the system’s annual profits, after a statutory dividend of 6% on member banks’ capital investment is paid, and an account surplus is maintained. In 2010, the Federal Reserve made a profit of $82 billion and transferred $79 billion to the U.S. Treasury”

      • its not some sort of crackpot idea, the Fed is owned by banks, and governed by Federal law.

    • You'reNotSoSmart

      The Federal reserve is an independent central bank that is not owned and is non profit. BUT it is overseen by congress and they can change it’s actions and responsibilities.

      It is an independent organization WITHIN the government.

      http://www.federalreserve.gov/

      • columbus_viaLA

        Your brief block of “explanation” contradicts itself so many times, I hardly know where to start. So I won’t bother.

  9. Go to research.stlouisfed.org and register.

    Per St Louis Fed ….
    —————————————————-

    Why Register?

    Subscribe to email notifications for updates to publications and data series.
    Create personalized lists of economic data series.
    Save customized graphs and maps for later use.
    Access the FRED API to integrate data with your favorite software packages.
    —————————————————–
    Sounds pretty bad.

  10. To those of you wondering about the intentions of this cyber attack: When dealing with nation state sponsored actors (hackers for contract), or even foreign military cyber units themselves (although less often), especially those in Asia, we often see rather benign systems like these in St. Louis being targeted simply because the attackers lack specific knowledge regarding our Western society and the entities that make up our local, state, and federal governments.

    Likewise, such benign systems in countries such as Russia, or China, among many others, are also often breached by hackers lacking similar understanding of those countries structures. The “intelligence” or data that is subsequently collected in such breaches, such as user credentials, can be and often are used in other places, or those systems themselves used as staging points to conduct further breaches on different targets.

    Once a system has been “owned”, it becomes an asset to the attacker, much in the same way a physical piece of military equipment can become an asset and used by the opposing forces in the theater of war. That asset can be used for many purposes, often differing from its original function.

  11. Is there an indication of WHEN the Fed discovered the problem? The potential delay in notification may be the biggest problem.

  12. I really don’t think the target of this attack is the Federal Reserve Bank at all. The St. Louis Fed is simply providing a bunch of public, dull, boring data. And who would be interested in this kind of dull boring data? Why the most dull, boring people in the universe: economists. And who do economists work for? In many cases, banks and other financial institutions. Get economists to go to a malicious web site which attempts to install malware, and you have malware running inside of banks and financial institutions. It seems like there would be many bad guys who would give their right arms to pull that off.

    • ^^^^ This. Billy is 100% correct. The Fed was not the target, the people who log in and use the Fed web site were the target.

    • +1 to this.

      The targets are analysts with banks. These analysts probably have access to systems and specific data in the banks that are restricted access; they probably use these systems to work with the data they pull from the reserve bank.

      The ultimate target is information in the banks.

    • Would this be called a watering hole attack or one step towards a spear-phishing attack?

  13. Would DNSSEC have helped?

    • Probably not.

      DNSSEC would protect against a MITM attack against DNS services to you / your ISP.

      Typically, DNS attacks are social engineering attacks against the DNS registrar. I.e. A account takeover.

      In this case, since it was a single subdomain instead of the TLD, it was probably an attack on the St Louis federal reserve computer that manages DNS records. If it had DNSSEC, it would have had the signing keys for DNSSEC, and thus it would have signed the attack.

      • Former DNS guy

        Not necessarily. The DNS servers that are publicly accessible are most likely slaves receiving data, including DNSSEC records from a hidden master. Even if it weren’t, the keys were likely stored off-system so compromising the DNS server wouldn’t allow signing of the modified records.

        • We’re talking about hypothetical cases here. Sure in a perfect world you’d have an offline signing key and be careful about how it was used.

          The group who ran DNS here clearly wasn’t perfect.

          Assuming they rooted the right computer, they’d probably have been able to do such an attack even with a fairly good implementation of DNSSEC, it would just have taken longer and more steps. (Specifically compromise credentials and spearfish until they get credentials for the box where DNSSEC signing is done, and then Trojan the DNSSEC tools so they generate display output that doesn’t match the signed output, or generate two signed zones, the one being requested, and the evil drop in one, and then exfiltrate the evil signed one and push it to the compromised DNS server.

          These attacks are being carried out by persistent and patient attackers, willing to go through many steps to accomplish their goals.

      • DNSSEC would protect against this if your ISP has DNSSEC-enabled resolvers. Those resolvers in this case would not be able to verify the signatures on the zone and not accept them. The result would be a “domain name does not exist” in your browser – which is better than being redirected to a fake server waiting to capture credentials and/or serve malware.

        DNSSEC would not protect against this from your ISP to your system, unless you run your own local DNS caching servers which are DNSSEC-enabled.

  14. that a DNS attack can occur simply highlights the fundamental problems in SSL/TLS authentication: as you have not authenticated and signed any of your x.509 certificates you have no idea who you are talking to after you connect

    “CA Authorities” have been compromised in the past; worse, most of us have no record of what is supposed to be on a certificate — even if we take the trouble to display it .

  15. This proves hackers are running out of places to hack.

  16. Agree with Robert Scroggins, Billy and Jeff L. The REAL target of this attack was NOT the St.L. Federal Reserve website, but rather the high-rollers who VISIT said website. IOW, a fairly typical “watering hole” attack, to use the vernacular.

    Several posters here don’t seem to get it. Hopefully, NONE of you are working in IT security. If you are, then it’s high time either to start learning to think like your adversaries, or to get into a different line of business altogether.

  17. I’m a little confused. Who is this DNS vendor they used? Are there more websites potentially vulnerable to redirection or mitm attacks? or was this a St Louis fed bank machine that was compromised or a server with only their domains?

    • I’m not sure who their DNS vendor was at the time of attack but currently their DNS zone files are being served by Amazon’s AWS.

      Based on the explanation given it would appear that once the credentials for the account located within the DNS vendor were compromised the attackers altered those DNS records to send legitimate users accessing research.stlouisfed.org to a phishing site, likely one nearly identical to the original site, with the exception that this new site was passing the entered credentials on to the attackers. Not a very unique scenario by any means.

      With that said, the initial intent of this stage of the attack was obviously to gain access to legitimate user credentials for research.stlouisfed.org. What the subsequent purpose of obtaining those credentials was we can only speculate. It could have been a common case of someone having breached the technicians computer who was responsible for maintaining domain/DNS records, and the attacker decided to simply see how far they could go and what they could get. Or, it could have been much more targeted as several of us already stated above.

  18. Now we know where Krugman gets the data for the charts on his blog which are labeled FRED at the top.

  19. They possibly *altered* which name servers are used at the registry, because they attacked ENOM (domain registrar) – which means the DNS itself wasn’t compromised, the domain was.