The Journal’s Citigroup Hacker Story

The Wall Street Journal’s fascinating scoop this morning on Russian hackers stealing tens of millions of dollars from Citigroup is made all the more interesting journalistically by the fact that Citi just flat denies the story.

You’ve got to hand it to the Journal for going big with the story, which we’ll assume is true. It puts the Citi denial in the fifth paragraph and just motors on:

Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

Wanna bet? The paper counters that with an explanation of why Citi would lie:

U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank’s largest depositors.

You can bet this one was one of the most heavily “lawyered” WSJ stories in a good while. The liability for getting this one wrong would be huge, especially after a flat denial.

The Journal goes into great detail here, which makes its story all the more credible.

The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups…

Among weapons the hackers used, according to people familiar with the case, was a small army of infected computers commanded by software called Black Energy…

Black Energy was written by a Russian hacker who goes by the name Cr4sh, said Joe Stewart, a researcher for SecureWorks, a computer-security company….

Over the summer, Mr. Stewart said, he discovered that Cr4sh had developed a new version of Black Energy with an added feature that steals banking credentials. In the Citi attack, the software included a tailor-made feature designed to attack the bank, according to two people familiar with the incursion. The thieves stole an estimated tens of millions of dollars, according to three people familiar with the matter.

And the paper runs with an anecdote which appears connected to the case, but it’s careful to say it can’t confirm that’s so. One businessman had a million bucks drained from his accounts and into Latvia and the Ukraine. At least Citi admitted that, though it denied it was connected to the larger swindle.

It’s rare to see a story like this where the subject denies the very premise of a super-sensitive story and yet the paper goes ahead and writes it anyway.

The WSJ is calling Citigroup a liar. Good for it.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Ryan Chittum is a former Wall Street Journal reporter, and deputy editor of The Audit, CJR's business section. If you see notable business journalism, give him a heads-up at Follow him on Twitter at @ryanchittum.