A new KrebsonSecurity.com article by Brian Krebs is shedding new light on the 2011 FIS hack attack on banking industry giant Fidelity National Information Services (FIS) – and the details are chilling, to say the least.
In the first quarter of 2011, hackers launched the very well-organized theft of 22 prepaid FIS debit cards. After manipulating daily withdrawal limits, the hackers cloned, distributed and used the debit cards in ATMs in major cities across in Europe, Russia and the Ukraine. By the time they were done, $13 million had been stolen.
Naturally, one of the questions that both banking regulators and FIS customers had was with regards to the size of the attack. To that end, in its first public SEC filing after the attack, FIS stated that the attack was localized to the company’s prepaid card network. It’s a claim that FDIC examiners are now saying was incorrect.
Apparently, FIS dramatically understated the attack’s severity and impact, which was much more widespread than reported. According to FDIC examiners:
“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed. As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”
Does this suggest that FIS intentionally misled regulators, its customers, or the general public about the size of the attack? No it doesn’t, nor is this the view of FDIC examiners.
Rather, what this horror story — it’s too scary to be called a case study — illustrates, is that trying to grasp the scope of a malware attack while it’s happening or in its immediate aftermath is extremely difficult, if not impossible. Malware attacks aren’t linear or straightforward. Whether they’re designed to cause destructive chaos (like Shamoon) or fly under the radar (like PushDo), they’re tough to contain, categorize and catalog.
That’s why it’s essential in today’s sophisticated threat landscape for organizations to have network defense solutions in place that let them:
identify what is being compromised, including servers and mobile devices used by employees and contractors
detect the reason for the attack (e.g. economic, political, social, etc.) so they can anticipate the malware’s behavior and next steps
access accurate data on the scope and size of the attack, so they aren’t facing anyone’s wrath in the attack’s aftermath
Having the above won’t stop malware attacks – because, frankly, they can’t be 100% stopped. However, it will give organizations the data they need to make quick, accurate decisions during an attack.
If FIS had this in place back in 2011, they’d likely be applauded today for being suitably prepared, instead of widely viewed as a cautionary example.