The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office.
The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”
Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator.
The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”
The statement continues:
“These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password.
The St. Louis Fed’s website itself was not compromised.
“Out of an abundance of caution, we wanted to alert you to this issue, and also make you aware that the next time you log into your user account, you will be asked to change your password. In addition, in the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet. Click https://research.stlouisfed.org/useraccount/forgotpassword/step1 to change your user account password now.”
According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data.
FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports.
According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED.
ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history.
The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois.
No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available.