Federal Reserve passed Treasury Secretary's details to Russians after social engineering incident

"Hi. This is the Prezident here on [email protected]. Can I have your number and your friends' too?"

Federal Reserve passed Treasury Secretary's details to Russians after social engineering incident
The report was released today after a year's FOI persistence by reporter Jason Leopold.

The Federal Reserve’s security team rebuilt Chairman Jerome “Jay” Powell computer after he was tricked into a 30-minute call from home with a Russian impersonator of Ukrainian president Volodymyr Zelenskyy in 2023 – not finding any warning signs of  but erring on the side of caution.

That’s according to a  newly released report that shows nobody at the Federal Reserve had spotted any warning signs about the email addresses “[email protected]” and “[email protected]” – and continued a two-week-long correspondence before setting up the call.

In the wake of the call (during which nobody suspected that they were not actually talking to the Ukrainian leader) the Russian pranksters, who later posted excerpts of the video call online, made a “small request.” 

“Could you connect us with Secretary of the Treasury Janet Yellen so that President Zelenskyy could discuss the economic situation with her directly” they asked a Fed assistant – who then shared Yellen’s email.

An internal report into the incident was published today after a year-long effort by reporter Jason Leopold, who was the first to report on it here for Bloomberg. (We highly recommend his FOIA Files newsletter.)

A cybersecurity audit after the previously reported incident also “identified opportunities for improvement related to account management policies and procedures, audit log review, and security assessment and authorization processes,” a newly released report shows.

OIG report suggests Fed's IT team can tighten up a touch.

The incident started in January 2023 with an email to the Fed from a purported deputy head of the office of the President of Ukraine. (We defer to Jason Leopold’s original reporting for a useful recap and blow-by-blow account.)

In the wake of it, the Office of Inspector General (OIG) and Board of Governors of the Federal Reserve System noted delicately that they saw “an opportunity for the Board to develop a baseline of meetings with with foreign officials to assist in overall security monitoring efforts…”

The heavily censored OIG report notes: “Chair Powell stated that IF [the Fed’s International Finance unit] is responsible for ensuring that foreign officials requesting to communicate are properly verified and vetted. Chair Powell reiterated that this one-on-one meeting with the Zelenskyy impersonator was extremely unusual given that nearly all of his communications are with people he is already deeply familiar with. 

See also: Ransomware earned scumbags $1 billion in 2023

“Chair Powell explained that in the future, if someone at the Board were to be contacted by a foreign official with which the chair does not have a preexisting relationship, a simple fix would entail an individual from the Board calling the relevant embassy to verify the contact.” 

The OIG added: “We were informed by multiple Board staff members that attention to detail regarding incoming email is crucial and that staff members are taking a closer look at senders' email addresses and verifying contacts as necessary. In addition, the Division of Information Technology's Technology Systems and Services imaged a new computer for Chair Powell. This step was taken as a precaution given that the preliminary forensic assessment conducted by Board Information Security Operations showed that no hacking or infiltration occurred…”

The incident is a tart reminder of the importance of training staff across the board on social engineering and phishing campaigns. Whilst this particular incident was ultimately not damaging on the security front, numerous multiple high-profile and highly damaging ransomware attacks have started with social engineering campaigns, including at the most basic level, calls to IT support or calls purporting to be from IT support. 

See also: Veeam CISO Gil Vega on security culture, sleeping at night, tips for CISOs