WASHINGTON — The FBI is investigating a hacker attack on Citigroup Inc. that led to the theft of tens of millions of dollars, The Wall Street Journal reported Tuesday. The bank strenuously denied the report.
Citing anonymous government officials, the Journal reported that the hackers were connected to a Russian cyber gang. Two other computer systems, at least one of connected to a U.S. government agency, were also attacked.
In a statement, Citi said "any allegation that the FBI is working on a case at Citigroup involving a breach of Citi systems resulting in tens of millions of dollars of losses is false. There has been no breach and there have been no associated losses."
Dow Jones & Co. spokesman Robert Christie said the Journal stands by the accuracy of its story.
The Journal reported that the attack on Citigroup's Citibank subsidiary was detected over the summer, although it may have occurred up to one year earlier. The FBI, the National Security Agency, the Homeland Security Department and Citigroup worked together to investigate the attack.
Cyber crime is of increasing concern to businesses and the federal government, with President Barack Obama calling it one of the "most serious economic and national security challenges we face."
On Tuesday, Obama announced the appointment of Howard A. Schmidt, a former eBay and Microsoft executive, as the government's cyber security coordinator.
Internet attacks on banks are very common, said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies.
While he said he has no knowledge of an attack specific to Citigroup, Kellermann said Tuesday that large financial institutions are "consistently targeted" by criminal organizations in Eastern Europe, Brazil and Southeast Asia.
"Ninety-eight percent of bank heists are now occurring virtually and not in the real world," he said, adding that the industry is "hemorrhaging funds" as a result.
Banks that accept deposits made more than 53,000 reports of wire transfer fraud between April 1996 and the end of 2008, according to the Department of Treasury's Financial Crimes Enforcement Network. These reports are filed when a bank suspects criminal activity, though they are not necessarily evidence that a crime was committed. Nevertheless, such reports have been increasing. Nearly 15,000 of these reports were filed in 2008, up from 9,300 the year before.
It's often difficult to determine who pulled off a virtual bank heist. Hackers tend to use "botnets," worldwide networks of "zombie" personal computers they've infected with viruses without the knowledge of the computers' owners.
And even if the hackers are caught, punishing them is another hurdle.
"Less than 30 countries have actually criminalized cybercrime," Kellermann said.