There has been no breach and there have been no associated losses, Citigroup said in a statement.
Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi, the bank added.
The cyber attack, believed to be linked to a Russian gang, was aimed at Citigroup's Citibank subsidiary, the paper reported, citing unnamed government officials. It also said the hackers may have gained access to the bank's systems through third parties.
The attack on Citibank is believed to have taken place over the summer and was detected at that time, but investigators suspect it could have taken place up to a year earlier, the paper said.
Two other entities, including a U.S. government agency, were also attacked by hackers, the paper said, citing people familiar with the Citibank incident.
FBI spokesman Richard Kolko declined to comment, saying it is agency policy to neither confirm nor deny whether investigations are in progress. A spokesman for the Department of Homeland Security also declined to comment.
The issue of computer hacking financial institutions has been a growing concern. And after months of searching, the White House said on Tuesday that President Barack Obama picked an expert to serve as the national cyber security coordinator.
Howard Schmidt is president of the Information Security Forum, a nonprofit consortium of 300 large corporations and public-sector organizations working on cybersecurity issues. He also worked under U.S. President George W. Bush on cyber issues.
Most financial institutions of this magnitude are working extremely hard to avoid this kind of thing and be out ahead of it, said Scott Vernick, a lawyer at Fox Rothschild LLP whose practice includes electronic data securities matters.
The problem is the criminals are working even harder, Vernick added.
The Wall Street Journal mentioned a Citibank customer who saw more than $1 million removed from his account and sent to banks in Latvia and Ukraine. The bank helped him recover most of the money and reimbursed him for the rest, the newspaper reported, adding that it was not clear whether the incident was part of the larger attack on Citigroup.
In a statement, the bank said it was an isolated case of fraud.
Citigroup also said that attacks are directed against companies globally, and while there had been attempts to interfere with the bank's systems, none had been successful.
But Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, said, I don't want to sound alarmist ... but the evidence is just overwhelming today that attacks are successful in many instances, particularly socially engineered attacks.
(Reporting by Dan Wilchins in New York; additional reporting by Jim Finkle in Boston, Jeremy Pelofsky and Dan Margolies in Washington and Ajay Kamalakaran in Bangalore; Editing by Valerie Lee, John Wallace, Tim Dobbyn and Richard Chang)