A Russian based gang of computer criminals are stolen millions of dollars since late 2013 from banks in Russia, Eastern Europe and the U.S. It is unclear exactly how many, or which, banks were hit. According to a report from Kaspersky Lab ZAO, a Russian computer-security firm some U.S. financial-services executives have been briefed on the findings, people familiar with the briefings.
The hackers have been active since at least the end of 2013 and infiltrated more than 100 banks in 30 countries, after gaining access to banks' computers through phishing schemes and other methods, they lurk for months to learn the banks' systems, taking screen shots and even video of employees using their computers.
The location of the hackers is unclear. Some of their servers are based in China and some of their Web domains appear to be registered to Chinese nationals, the report says. But, as Kaspersky notes, such clues can and have been faked in the past.
The U.S. Secret Service and Federal Bureau of Investigation didn’t immediately respond to requests for comment.
The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.
The Financial Services Information Sharing and Analysis Center, a nonprofit that alerts banks about hacking activity, said in a statement that its members received a briefing about the report in January.
"We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimize any effects on their customers," the organization said in a statement. "The report that Russian banks were the primary victims of these attacks may be a significant change in targeting strategy by Russian-speaking cybercriminals."
Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in Japan, the United States and Europe.
No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.
