By Dustin Volz & Jason Lange
WASHINGTON – The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China’s military, people with knowledge of the matter said.
The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.
The FDIC is one of three federal agencies that regulate commercial banks in the United States. It oversees confidential plans for how big banks would handle bankruptcy and has access to records on millions of individual American deposits.
Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.
Reuters was not able to review those records, and could not determine how long the FBI probe has been open, though it was described as still active. A third person with knowledge of the matter confirmed the FBI had opened a probe.
FDIC spokeswoman Barbara Hagenbaugh declined to comment on the previously unreported FBI investigation, or the hack’s suspected sponsorship by the Chinese military, but said the regulator took “immediate steps” to root out the hackers when it became aware of the security breach.
After FDIC staff discovered the hack in 2010, it persisted into the next year and possibly later, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC’s inspector general, an internal watchdog.
The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.
An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.
Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.
Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology. That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.
Throughout the lapses, the FDIC has said it is stiffening information security standards, including a ban on thumb drives and more coordination with the Department of Homeland Security to prevent hacks.
“We are continuing to take steps to enhance our cybersecurity program,” Hagenbaugh said.
An audit by the FDIC’s inspector general in November found the FDIC was failing to do “vulnerability scanning” in an important part of its network, a standard technique used to detect hackers. The audit stated the FDIC was working to address the shortfall.
The FBI declined to comment on its investigation. When asked about China’s possible role in the 2010 hack, Chinese Foreign Ministry spokeswoman Hua Chunying said: “If you have no definitive proof, then it is very hard for you to judge where the attacks really come from.”
Washington has accused Beijing of hacking government offices before, including the theft of background check records from the Office of Personnel Management.
It was not clear whether the FBI probe of the FDIC hack would result in any action against China or whether the issue would be taken up by President-elect Donald Trump, who has vowed to confront China on trade issues.
The Obama administration has struggled to develop a clear strategy for responding to cyber attacks, due to the difficulty of identifying hackers and fears of escalation.
That challenge was thrown into relief by hacks during the U.S. presidential election which the CIA and FBI concluded were carried out by Russia to help Trump win. Russia denied the accusation.
The White House had no comment on the FDIC hack. Trump’s transition team did not respond to a request for comment.
Last year, U.S. President Barack Obama and Chinese President Xi Jinping reached an agreement to avoid economic cyber espionage on one another.
‘Advanced persistent threat’
A July report by the House Science Committee said hackers suspected to be linked to China’s government gained deep access to FDIC computers starting in 2010. The probe at that point was unaware the hack was tied to China’s military.
The committee, chaired by Texas Republican Lamar Smith, has continued to press the FDIC. Republican lawmakers accused FDIC employees of covering up the hack to protect the job of Chairman Martin Gruenberg, who was nominated for his post in 2011. An FDIC review last month found no evidence Gruenberg’s pending confirmation influenced handling of the breach.
In September, FDIC officials told the committee it could not share some documents because the FBI was investigating the breaches, two committee aides told Reuters.
FDIC staff realized in October 2010 that sophisticated intruders lurked within the agency’s network, according to the FDIC inspector general’s 2013 probe.
Staff at the regulator learned the computer of the FDIC’s then-chairwoman, Bair, was breached by what they called an “advanced persistent threat.” Top FDIC officials were not briefed on the matter until August 2011, a month after Bair left the agency, according to the 2013 investigation.
Bair declined to comment when reached by Reuters this week.
Reuters was unable to determine when the hackers were expunged from the FDIC network. The regulator hired Mandiant, a firm specialized in probing Chinese military hackers, to investigate, executing a contract in January 2013. Mandiant was purchased in 2014 by FireEye, which did not immediately respond to a request for comment.