LockBit claims to exfiltrate 33TB of data from US Federal Reserve(securityaffairs.com)
securityaffairs.com
LockBit claims to exfiltrate 33TB of data from US Federal Reserve
https://securityaffairs.com/164873/cyber-crime/lockbit-claims-hacked-us-federal-reserve.html
97 comments
Same group who claimed to have Fulton County, Georgia data, pushed back the pay deadlines, but never released anything after Fulton County didn't pay the ransom. I don't doubt they have actually hit targets but that seed of doubt is planted.
Is that some calculus about risks? Ransoming data with a threat, might kind of make people shrug in the aftermath. Airing all of the dirty laundry might make authorities take a significantly harder look at you. Like those groups who apologize for hacking a hospital.
What data does the Fed actually deal with? The article mentions "Americans' banking secrets" as if the risk is to individuals but ... to oversee banks, does it need the particulars of individual account holders? Or is this information about banks and their overnight borrowing (i.e. should be "American banks' secrets")? Or is this like, pending drafts of various policy reports and granular data from which summaries would eventually be published?
The Fed runs several RTGS and retail payment systems, including FedNow, FedACH, and Fedwire.
FedACH processes roughly half of all ACH transfers, which include effectively all payroll direct deposit transactions in the US.
FedACH processes roughly half of all ACH transfers, which include effectively all payroll direct deposit transactions in the US.
Does it process individual transactions? RTGS stands for Real Time Gross Settlement, and my understanding is that it lets banks settle the total amount of processed transactions, thus leaving out any details of particular transactions.
> Does it process individual transactions?
Yes. FedNow and FedWire are real-time rails.
FedACH is net settled, but I believe the Fed would see the full contents of each ACH message.
Yes. FedNow and FedWire are real-time rails.
FedACH is net settled, but I believe the Fed would see the full contents of each ACH message.
For important/large payments, banks will often let customers allow do do individual transactions on the RTGS.
That's how wire transfers work in the US, for example, and that's one reason why they're more expensive than ACH: Without netting, transfers actually reduce reserves, and by extension liquidity, from the sending bank in real time.
FedACH in particular is a retail payment service, and the operator would have visibility into individual transactions, I believe.
That's how wire transfers work in the US, for example, and that's one reason why they're more expensive than ACH: Without netting, transfers actually reduce reserves, and by extension liquidity, from the sending bank in real time.
FedACH in particular is a retail payment service, and the operator would have visibility into individual transactions, I believe.
> that's one reason why they're more expensive than ACH
The Fed charges between 4 and 19¢ for a wire [1]. For the delta to be explained by the cost of warehousing reserves, we'd need to assume Zimbabwean costs of capital for the big banks.
RTGS is fundamentally more expensive than net settling. But wires are expensive because we're getting hosed. (If you wire frequently, there are banks that won't charge you for it, e.g. Fidelity.)
[1] https://www.frbservices.org/resources/fees/wires-2024 if you're a small bank, it could be as much as 95¢
The Fed charges between 4 and 19¢ for a wire [1]. For the delta to be explained by the cost of warehousing reserves, we'd need to assume Zimbabwean costs of capital for the big banks.
RTGS is fundamentally more expensive than net settling. But wires are expensive because we're getting hosed. (If you wire frequently, there are banks that won't charge you for it, e.g. Fidelity.)
[1] https://www.frbservices.org/resources/fees/wires-2024 if you're a small bank, it could be as much as 95¢
Completely agree: Of course the markup that banks charge for them is not proportional in any way.
If it were, FedNow (which is also real-time, although I'm not sure on whether it's also real-time settled) and non-US equivalents would be equally expensive, yet SEPA instant and FPS are usually free to consumers. They do have an amount cap per day, though.
If it were, FedNow (which is also real-time, although I'm not sure on whether it's also real-time settled) and non-US equivalents would be equally expensive, yet SEPA instant and FPS are usually free to consumers. They do have an amount cap per day, though.
> do have an amount cap per day
This is related to fraud risk, which is only ameliorated by net-settlement systems in that they're slower. (An RTGS with a built-in delay would have a similar fraud profile.)
Wires' immutability makes them both ideal for large transactions and more risky for fraud. If I understand correctly, FedNow payments are reversible.
In essence, you have to pick two among fast settlement, immutability and low cost. FedWire is fast and immutable and low cost at volume. FedNow is fast and low cost. ACH is stupid.
This is related to fraud risk, which is only ameliorated by net-settlement systems in that they're slower. (An RTGS with a built-in delay would have a similar fraud profile.)
Wires' immutability makes them both ideal for large transactions and more risky for fraud. If I understand correctly, FedNow payments are reversible.
In essence, you have to pick two among fast settlement, immutability and low cost. FedWire is fast and immutable and low cost at volume. FedNow is fast and low cost. ACH is stupid.
It helps with fraud, sure, but I bet banks aren't too unhappy about the dampening effect it has on liquidity flows as well, especially now that we've left ZIRP?
There must be some cost of capital associated with needing reserve buffers for outgoing instant payments sent outside of the operating hours of the interbank money market and the Fed discount window.
In the end, both effects (cost of fraud and cost of liquidity) will of course get baked into the cost per dollar to the banks and it might be hard to untangle them.
There must be some cost of capital associated with needing reserve buffers for outgoing instant payments sent outside of the operating hours of the interbank money market and the Fed discount window.
In the end, both effects (cost of fraud and cost of liquidity) will of course get baked into the cost per dollar to the banks and it might be hard to untangle them.
> banks aren't too unhappy about the dampening effect it has on liquidity flows
Correct.
The average FedWire is $5.4mm [1]. The Fed Funds rate is 5.3% [2]. ACH settles in 1 to 3 business days [3]. Actual/360, that's $800 to 2,400 to finance wholesale.
If, on the other hand, you're JPMorgan and can pay 2 bps for deposits [4], that cost drops to $3 to 9. These are the economics that drive bank consolidation.
[1] https://www.frbservices.org/resources/financial-services/wir...
[3] https://www.frbservices.org/resources/resource-centers/same-...
[2] https://fred.stlouisfed.org/series/fedfunds
[4] https://www.chase.com/content/dam/chase-ux/ratesheets/pdfs/r...
Correct.
The average FedWire is $5.4mm [1]. The Fed Funds rate is 5.3% [2]. ACH settles in 1 to 3 business days [3]. Actual/360, that's $800 to 2,400 to finance wholesale.
If, on the other hand, you're JPMorgan and can pay 2 bps for deposits [4], that cost drops to $3 to 9. These are the economics that drive bank consolidation.
[1] https://www.frbservices.org/resources/financial-services/wir...
[3] https://www.frbservices.org/resources/resource-centers/same-...
[2] https://fred.stlouisfed.org/series/fedfunds
[4] https://www.chase.com/content/dam/chase-ux/ratesheets/pdfs/r...
While SEPA Instant has a cap (100k), SEPA Slow (or, well, same-day/next-day, the normal one) does not, though some banks may impose their own.
Weirdly, 100k is not an absolute limit; the scheme allows banks to have bilateral agreements to exceed it, though I’m not sure how common this is.
Weirdly, 100k is not an absolute limit; the scheme allows banks to have bilateral agreements to exceed it, though I’m not sure how common this is.
What are house payments usually made with?
Just regular "SEPA slow" (i.e. SEPA credit transfer), as far as I know, unless they're financed by a mortgage/loan anyway.
Some banks offer "rush payments" for that use case in particular, which I believe essentially correspond to either an RTGS payment and a phone call or fax to the receiving bank ("hey, can you check your TARGET2 account real quick for our transfer <reference> and credit your account x for the sum please?"), or just a regular old SEPA credit transfer with somebody making sure that it's not caught in some AML or fraud control queue for several days. It's not a pan-European standardized scheme, in any case.
Some banks offer "rush payments" for that use case in particular, which I believe essentially correspond to either an RTGS payment and a phone call or fax to the receiving bank ("hey, can you check your TARGET2 account real quick for our transfer <reference> and credit your account x for the sum please?"), or just a regular old SEPA credit transfer with somebody making sure that it's not caught in some AML or fraud control queue for several days. It's not a pan-European standardized scheme, in any case.
Even if they're financed with a mortgage, the actual payment from the lender will almost certainly be SEPA; very little reason to use anything else.
> lets banks settle the total amount of processed transactions, thus leaving out any details of particular transactions
This is the definition of a Net settlement scheme (multiple transactions are combined at end of a period, resulting in only the net changes being transferred), not a Gross settlement scheme.
This is the definition of a Net settlement scheme (multiple transactions are combined at end of a period, resulting in only the net changes being transferred), not a Gross settlement scheme.
FedACH is a net settled scheme, but even then, the operator of such a scheme usually has visibility into individual payments (unless participating banks settle everything bilaterally and there is no central operator/hub).
I was merely clarifying their use of "RTGS" vs their textual description of it.
Lockbit primarily targets Microsoft Windows servers. Does the Fed run all this critical infrastructure on Windows?
You would anticipate a lot of confidential supervisory information: the Federal Reserve (and other Federal regulators) inspect banks regularly, and are allowed to ask for basically anything at all from them. You would expect there to be a significant volume of highly confidential stuff in the working papers. You'd also expect to see potentially embarrassing material for banks like negative supervisory findings, where banks are being asked to deal with things that potentially affect their safety and soundness. This stuff is all highly confidential, for obvious reasons.
This seems like the kind of data banks would hand over for FDIC insurance since it's on a per-account basis. I don't know if that makes its way to the federal reserve.
> kind of data banks would hand over for FDIC insurance since it's on a per-account basis
Banks don't systematically hand over account-level data to the FDIC, much less for insurance.
Banks don't systematically hand over account-level data to the FDIC, much less for insurance.
Transactions above $10k get reported. Reported to who? Is it the Fed? If that data got stolen, that would be enormous.
If it's technical analysis data ("In October 1957, Idaho produced X tons of potatoes..."), then it's less interesting.
If it's technical analysis data ("In October 1957, Idaho produced X tons of potatoes..."), then it's less interesting.
For what it's worth, Idaho produced 35,525,000 cwt (1,776,250 short tons) of potatoes in fall of 1957. https://archive.org/details/CAT10268574003/page/4/mode/2up?q... ;)
Now this is what I come to HN for. Did you go looking for this report, or did you already know these were uploaded to the internet archive?
Looked for it. "idaho potato production 1957" to see what the right search terms were by looking at some hits, then "idaho farm report 1957" until I found that table via in-book text search; both searches as " Search text contents ", limited to <1965.
SARs are reported to FinCEN, which is part of the Treasury, not Fed.
> Reported to who?
Department of Homeland Security, I imagine. Probably the IRS too. Probably not the Fed, they can't really do anything with the data other than report it to someone else.
Department of Homeland Security, I imagine. Probably the IRS too. Probably not the Fed, they can't really do anything with the data other than report it to someone else.
> Many experts are skeptical about the criminal group’s announcement. The Federal Reserve is a high-profile target, and a data breach could have serious repercussions. Many believe that the group’s announcement is just for attention.
"Many." Sounds like potential propaganda to me. Who are these "many?"
The use of "many" in such contexts by journalists (and human/AI entities who choose to write like journalists, as in this case) is a shim used to make personal opinion seem more objective.
And we can definitely rely on plurality of professionals.
There were many (almost all) journalists and intelligence professionals that claimed the Hunter Laptop was not real… except of course it was and entered into evidence in his gun trail and conviction recently.
There were many (almost all) journalists and intelligence professionals that claimed the Hunter Laptop was not real… except of course it was and entered into evidence in his gun trail and conviction recently.
The "story" was that Joe Biden had pushed Ukraine to protect Hunter Biden [1], and there was no evidence found to support that claim at all, despite multiple investigations from the FBI as well as both chambers of Congress [2].
The only thing that turned out to be true and actually criminal was that Hunter Biden acquired a gun while forbidden from doing so, for which he was recently convicted.
[1] https://en.wikipedia.org/wiki/Hunter_Biden_laptop_controvers...
[2] https://en.wikipedia.org/wiki/Biden%E2%80%93Ukraine_conspira...
The only thing that turned out to be true and actually criminal was that Hunter Biden acquired a gun while forbidden from doing so, for which he was recently convicted.
[1] https://en.wikipedia.org/wiki/Hunter_Biden_laptop_controvers...
[2] https://en.wikipedia.org/wiki/Biden%E2%80%93Ukraine_conspira...
That’s pretty disingenuous. The story was it was Hunter’s laptop, had compromising information on Hunter (it did), had emails that detailed more involvement and knowledge of Hunter’s business by Joe than was previously disclosed, as well as a litany of other private information that was not previously known (private email addresses used by public officials).
50 intelligence officials signed a politically motivated letter to cast doubt on the authenticity of any of this[0] and the majority of media outlets inferred that it not only could be misinformation, but that it was and gaslighted anyone who alleged differently. The officials opinion was wrong from the outset, and appears to have been a screen for a very politically connected family.
0 - https://www.politico.com/f/?id=00000175-4393-d7aa-af77-579f9...
50 intelligence officials signed a politically motivated letter to cast doubt on the authenticity of any of this[0] and the majority of media outlets inferred that it not only could be misinformation, but that it was and gaslighted anyone who alleged differently. The officials opinion was wrong from the outset, and appears to have been a screen for a very politically connected family.
0 - https://www.politico.com/f/?id=00000175-4393-d7aa-af77-579f9...
Could you link something showing that "almost all" journalists claimed the laptop wasn't real? Some articles from notable publications making such claims, etc.
If this is real, this is an incredible target to choose. I mean, you might not make it trial if they catch you, if you know what I mean. Makes me wonder what level of affiliation or perceived safety would make anyone this confident.
They will be Russian. All of the groups are just government agents, that’s why you get someone like “Anonymous” suddenly appearing overnight, attacking someone that is a foreign rival to the US and then disappearing for another 8 years.
> that’s why you get someone like “Anonymous” suddenly appearing overnight, attacking someone that is a foreign rival to the US and then disappearing for another 8 years
Humans can spontaneously self organise to a surprising extent. No government was behind Reddit's meme trading, for instance.
Not saying you're wrong. Just that spontaneous bursts of organisation aren't per se evidence of outside influence.
Humans can spontaneously self organise to a surprising extent. No government was behind Reddit's meme trading, for instance.
Not saying you're wrong. Just that spontaneous bursts of organisation aren't per se evidence of outside influence.
[deleted]
I feel like you missed what Anonymous is supposed to actually be. Anyone and everyone can be a part of Anonymous; queue V for Vendetta.
I don't think the federal reserve has that many deep dark secrets. The main risk is going to be stuff like knowing that a bank is in trouble before it's public knowledge.
I suspect the purpose of announcing it is so that it enters the news cycle before a Presidential debate. The payload itself may never materialize.
Trust in the Federal Reserve, and ignorance of its function, can be a strong partisan issue without waiting for a payload.
Trust in the Federal Reserve, and ignorance of its function, can be a strong partisan issue without waiting for a payload.
The Fed runs several payment systems so in theory all the transfers sent through there could be a part of this leak.
I'd be _extremely_ surprised if they managed to pop the payment systems.
If previous releases are anything to go by, it’ll be a bunch of backups and databases from enterprise HR and IT software that was running on poorly secured Windows servers, though I don’t know how it adds up to 33TB. Probably undeduplicated backup images or something.
The dump from their Boeing hack was excruciatingly boring.
The dump from their Boeing hack was excruciatingly boring.
As of February, they openly support or court Trump.
One of the scary things about ransomware attacks is to think of the possibility of other actors having gotten in before and copied all the data. I can't imagine the security hole is always an unknown zero day.
Whenever these groups tout volume of data it seems like a marketing move to compensate for lack of meaningful insights, compromising info, etc
How long would it have taken them to transfer 33TB and where would they store it?
[deleted]
Placing a bet this was a Windows system, just as all of the other recent major "hacks" were.
Heart bleed, Log4J, triangulation, spectre, rowhammer, almost every single website hack, every single social engineer attack, only by chance xz…
Yea. Windows sucks, but that is often off topic.
Yea. Windows sucks, but that is often off topic.
I think most of the things you listed weren't really used in the wild, at least not at scale?
I’m pretty sure every phishing attack almost ever was used in the wild and OS-agnostic.
The rest of the list was off the top of my head. Other than WannaCry and Stux, how many large scale windows malwares can you name without looking them up?
The rest of the list was off the top of my head. Other than WannaCry and Stux, how many large scale windows malwares can you name without looking them up?
Yeah that's the exception I had in mind.
I guess you could call it social engineering, but it seems like the words Microsoft Outlook and Active Directory are way overrepresented in these attack vectors (hopefully not in this particular case.)
I guess you could call it social engineering, but it seems like the words Microsoft Outlook and Active Directory are way overrepresented in these attack vectors (hopefully not in this particular case.)
[deleted]
[deleted]
Would this be maybe their biggest target so far? If so, the $50,000 which has been offered seems a tad dreamy.
narrator(3)