Security Experts:

Chinese Hacks on FDIC Covered Up by CIO

Threat actors believed to be from China breached the systems of the U.S. Federal Deposit Insurance Corporation (FDIC), but the agency’s chief information officer attempted to cover up the incident, according to a report published this week by the House of Representatives Science, Space and Technology Committee.

The report revealed that a threat group presumably sponsored by the Chinese government breached FDIC systems in 2010, 2011 and 2013. The attackers managed to plant malware on 12 workstations and 10 servers belonging to the banking regulator, including computers used by the chairman, chief of staff and general council.

According to the report, Russ Pittman, who was the FDIC’s CIO at the time, had instructed employees not to discuss or proliferate information about the attack to avoid jeopardizing the confirmation of Martin Gruenberg in the position of FDIC chairman.

U.S. officials have often pointed the finger at China for attacks on government agencies. Security firm FireEye reported last month that the volume of Chinese cyberespionage operations has dropped over the past months. While their volume has decreased significantly, experts say such campaigns are still being conducted, but they have become more focused and calculated.

As for the FDIC, Pittman is not the only CIO accused of wrongdoings. The agency’s current CIO, Lawrence Gross, has been called out for failing to notify Congress of major incidents (i.e. incidents involving more than 10,000 records).

There had been several cases in late 2015 and early 2016 where former FDIC employees copied sensitive information for tens of thousands of individuals, but the incidents were not reported to Congress in a timely manner. Gross, who took the position of CIO in November 2015, “created a toxic work environment” and “retaliated against whistleblowers,” the Science, Space and Technology Committee noted in its report.

In one example provided by the committee, a former FDIC employee in Florida copied over 100,000 files on a portable storage unit before leaving the organization. The FDIC reported that the employee had copied personal information records belonging to over 10,000 individuals, but the incident actually affected more than 71,000 individuals, banks and other entities.

The agency and its CIO attempted to downplay the extent of the incident until the FDIC Office of Inspector General (OIG) conducted an investigation and prompted the organization to report the breach to Congress. Furthermore, Gross reportedly removed a CISO who disagreed with him about whether the Florida incident should have been reported to Congress. Gross’ ability to serve as CIO of FDIC is now being brought into question.

"The FDIC's repeated unwillingness to be open and transparent with the committee's investigation raises serious concerns about whether the agency is still attempting to shield information from production to Congress," the report said.

“To think that the FDIC is the only agency dealing with the malicious and absent-minded employees would be foolish. Is anyone surprised that a nation-state hacking group successfully breached another target in North America? The reality is that the amount of proprietary information residing on networks is astronomical and controlling access is paramount for any organization,” Lior Div, CEO of Cybereason, told SecurityWeek.

“Today, proprietary data is regularly accessible to employees, as well as to various third party vendors. This gives nation-state actors and groups within China, Russia, Iran and North Korea treasure troves of IP, personal data nearly at their fingertips. In the case of hacking to the FDIC, the hackers access to extremely sensitive data can also be a basis of financial crime,” Div added.

FDIC chairman Martin Gruenberg and interim inspector general Fred Gibson will testify before the committee on Thursday. 

Related: Chinese National Jailed for Hacking U.S. Defense Firms

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.