FBI Probes JPMorgan, Other Bank AttacksExperts Warn Against Jumping to Conclusions About Culprits
Early reports suggested Russian hackers are behind a series of complex attacks and network intrusions at multiple U.S. financial services firms. But information security experts warn against jumping to conclusions, based on the scant evidence that's so far been released, and the fact that related investigations are continuing.
What is known is that the Federal Bureau of Investigation and U.S. Secret Service are investigating coordinated hack attacks, first launched earlier this month, against five or more U.S. financial services firms, reportedly including JPMorgan Chase.
"We are working with the United States Secret Service to determine the scope of recently reported cyber-attacks against several American financial institutions," FBI spokesman Joshua Campbell says in a statement issued late on Aug. 27. The National Security Agency is now also reportedly involved in the investigation.
Up to five banks' networks may have been breached, with attackers "siphoning off gigabytes of data, including checking and savings account information," reports The New York Times, citing unnamed sources with knowledge of the investigation. Third-party digital forensic investigation firms have reportedly been investigating the suspected breaches for several weeks.
News of the suspected bank attacks broke on Aug. 27, when Bloomberg reported that investigators have been probing a suspected hack attack against JPMorgan Chase and at least one other unnamed bank, which began in mid-August. Citing unnamed sources, the Bloomberg report says attackers may have accessed sensitive data from bank employees - including executives - as well customer data, and also exploited a zero-day vulnerability to breach at least one bank's systems. Investigators were also probing whether the attacks had been launched from Russia, potentially in retaliation for U.S. sanctions imposed over the Ukraine.
The JPMorgan breach apparently began after attackers managed to compromise a single bank employee's PC - and potentially a home PC with a VPN connection to the bank's network - which gave attackers a beachhead for accessing the bank's networks and compromising other systems, The Wall Street Journal reports.
JPMorgan reacted quickly to the news, saying its cybersecurity defenses are robust. "Companies of our size unfortunately experience cyber-attacks nearly every day," says JPMorgan spokeswoman Trish Wexler in a statement. "We have multiple layers of defense to counteract any threats and constantly monitor fraud levels." Earlier this year, in a letter to shareholders, CEO Jamie Dimon promised that by the end of 2014, the bank would be spending more than $250 million annually on information security, and have a headcount of about 1,000 cybersecurity-focused related personnel.
To date, however, the extent of the suspected breach remains unknown. Wexler says the bank is now working with law enforcement agencies to investigate the potential scope. She adds that the bank has not seen elevated levels of fraud, but promises to warn customers if it does.
Potential European Connection
The FBI and Secret Service are reportedly investigating a connection between the attacks against JPMorgan and other U.S. banks with recent attacks against European banks, noting that the attack techniques appear to be similar, Bloomberg reports.
There have been two serious, publicized incidents involving European banks this year: a breach of the European Central Bank, which resulted in the theft of personal information, as well as an attack against an unnamed European bank, which involved Luuuk malware and resulted in the theft of more than €500,000 ($660,000), Alan Woodward, who's a professor in the department of computing at England's University of Surrey, as well as an adviser to Europol, tells Information Security Media Group.
The European Central Bank breach was likely an espionage-driven attack, says Woodward. "I always get surprised when people get surprised that foreign countries are trying to spy on each other - why go and send a spy and place them in great danger when you can just electronically take a look?" he says. "What was slightly disappointing there was that the European Central Bank seemed to be quite easy to penetrate and in such a widespread way."
Meanwhile, the hack of the unnamed bank appears to have been the work of criminals, "because there was money stolen - it wasn't just disrupting infrastructure or a national economy," Woodward says.
"But you have to be quite careful, because someone might do that to make it look like it was criminals," he says. "People are not that simplistic in the way they operate. Some people are quite subtle in what they do."
Seeking Attack Attribution
But the big question now is: Who launched the attacks against U.S. banks?
The country's financial services firms are no strangers to online attack or disruption campaigns, as the 2010 NASDAQ hack and long-running Operation Ababil distributed-denial-of-service attacks have demonstrated.
But the recent bank attacks differ in some notable ways. "This is very different from the alleged Iranian [Operation Ababil] ]attacks earlier in 2012 and late 2013 that were purely of a denial-of-service nature," says Amichai Shulman, CTO of Imperva, because the attackers appear to have successfully breached banks' networks. Even so, however, they don't appear to have stolen money or used customer data to commit fraud. "Two possibilities here: first is that there are missing pieces in the puzzle - i.e. we are not being told everything - and second is that these were indeed politically motivated hackers."
The reported complexity and severity of the attacks has led some information security commentators to suggest that a nation-state sponsored the related attacks, and early news reports have singled out Russia as a likely culprit. "The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation-state capabilities," says Philip Lieberman, CEO of Lieberman Software.
Criminals Hack Well Too
But many security experts have cautioned against jumping to conclusions. "Certainly one of the things that a number of media outlets have been repeating is this view that because it's a 'complex hack,' it's too complicated to be criminal hackers," Woodward says. "I find that a very surprising statement, because frankly, the criminal hackers are some of the most advanced in the world ... [and] often their ability to attract talent is much higher than government sources."
Indeed, complex attacks can be launched by anyone who has "a combination of all or some of the following: time, tools, funding, and skills to carry out these attacks," says Dublin-based cybersecurity consultant Brian Honan, who is also an advisor to Europol.
"This narrows down those who could be behind such an attack to be a nation-state, organized crime gangs, or highly motivated political groups," he says, and also warns against jumping to conclusions, based on the scant amount of information that's been released so far, as well as previous, failed attempts to tie cyberattacks to Russia. "Indeed, previous incidents involving groups alleged to be sponsored by the Russian government, such as the DDoS against Estonia and cyber-attacks against Georgia during the Russian-Georgia conflict, proved such attribution to be extremely difficult - and inconclusive."