State-sponsored hackers aligned with the Chinese government have been accused of infiltrating the computer networks of the Federal Deposit Insurance Corporation (FDIC), a major banking regulator responsible for safeguarding the bank accounts of US citizens.
According to a damning report compiled by the House Committee on Science, Space and Technology, "advanced persistent threat" (APT) hackers compromised 12 agency work stations and 10 servers in three separate cases in between October 2010 and April 2013.
The hacks, alongside a number of internal security breaches involving past staffers, were never declared to law enforcement or the US Computer Emergency Response Team (US-CERT), the authority that manages cyberattack responses in the US, the probe claims.
What's worse, evidence from a number of FDIC whistle-blowers indicates the agency actively worked to cover up breaches impacting high-level officials – including the former chairman, chief of staff and general counsel, whose computers were all reportedly targeted.
"In essence, a foreign government penetrated FDIC's computers and the work stations of high-level agency officials. [The inspector general] was particularly critical of the agency for violating its own policies and failing to alert appropriate authorities," the report states.
The nation-state hacks only came to light in the congressional investigation after another serious breach occurred in October 2015 involving a former employee who stored more than 100,000 files on a USB device before leaving the agency.
In February this year, as a reaction to the probe, the FDIC retroactively reported five "major incidents" involving taxpayers' personally identifiable information (PII), which are all currently under criminal investigation. None of these separate data breaches were blamed on Chinese hackers.
In any case, the 25-page congressional report repeatedly slams the FDIC for its cybersecurity standards and alleges the agency attempted to evade oversight from authorities. It alleges that FDIC employees were instructed by Russ Pittman, its chief information officer, not to discuss the Chinese hacking incidents.
This, the report finds, was so nothing could interfere with the succession in the agency of Martin Gruenberg, a former vice-chair who was upgraded to the position of chairman in 2012. It was more than a year later when the breaches were finally reported to Congress.
The investigation argues this is one of many examples of the FDIC intentionally putting off the reporting of major breaches. It states: "There was a concern that if news got out about the foreign government hack, Mr Gruenberg's confirmation to the position of chairman may be jeopardised. This is one earlier example of the current pattern by the committee of concealing information from Congress."
As part of the probe, Gruenberg is now scheduled to testify before the committee about his role in the agency and its issues with cybersecurity.
"The committee remains concerned about the FDIC's weak cybersecurity posture and its ability to prevent future breaches," the House Committee report concludes. "FDIC's unwillingness to be open and transparent with the committee's investigation raises serious concerns about whether the agency is still attempting to shield information."
According to The Hill, lawmakers in the US have slammed the agency for failing to disclose the breaches until forced to do so by a formal investigation.
House Committee chair Lamar Smith said: "The FDIC's repeated efforts to conceal information from Congress are inexcusable. They raise significant questions about whether the agency actively attempts to hide potentially incriminating information from Congress."
The tensions between the US and China when it comes to cybersecurity spiked following the hacking incident at the Office of Personnel Management in 2014, which exposed more than 21 million federal employee details and 5.6 million fingerprint records. It is widely believed that Chinese government hackers were responsible.
Yet for its part, Beijing has continued to deny it uses hacking against US-based computer networks. In this latest incident, according to Reuters, Chinese Foreign Ministry spokesman Lu Kang refuted the committee's report. He said that critics should provide evidence for their accusations and not use words like "maybe" and "perhaps" when talking about hacking. "This is extremely irresponsible," he asserted.