Beyond Chase: 9 More Banks Breached?
JPMorgan Chase Hackers Infiltrated Others, Report SaysThe hackers who successfully infiltrated the network of banking giant JPMorgan Chase have also breached the networks of approximately nine other financial institutions, none of which has been publicly named, according to an Oct. 3 New York Times report. The report quotes unnamed U.S. officials, who suspect the overseas attacks were launched by a Russian-based group that is believed to have ties to the Russian government.
See Also: Gartner Market Guide for DFIR Retainer Services
Beyond that suspicion, however, investigators reportedly still don't understand the rationale behind the attacks. "It could be mixed motives - to steal if they can, or to sell whatever information they could glean," an unnamed official tells the Times. Likewise, "it could be in retaliation for the sanctions" being imposed on Russia over its actions in the Ukraine.
JPMorgan Chase disclosed on Oct. 2 in a filing to the Securities and Exchange Commission that the breach compromised information relating to 83 million U.S. households and businesses (see Chase Breach: Lessons for Banks ).
Chase believes that the network intrusion began in June, but wasn't detected by the bank's security team until late July, by which point hackers had "obtained the highest level of administrative privilege to dozens of the bank's computer servers," the Times reports. It adds that it's only in recent days that Chase has begun to understand the full extent of the breach.
Chase Investigation Continues
The breach at Chase wasn't fully contained until the middle of August, the Times reports, adding that the bank has been working with multiple U.S. government agencies - including the Treasury Department, Secret Service, and multiple intelligence agencies - to investigate the intrusion.
What's notable, however, is that the attackers don't appear to have stolen financial information, such as bank account numbers. "We have not seen unusual fraud activity related to this incident," Chase says in a statement.
While attackers did obtain contact information from everyone who recently logged into Chase's website or mobile applications - including their names, addresses, phone numbers and e-mail addresses - that information wouldn't be good for much more than launching relatively targeted spear phishing attacks.
"There is no evidence that financial data such as account numbers, passwords, user IDs, dates of birth or Social Security numbers were accessed, acquired or compromised," Chase says in a breach FAQ.
"We uncovered an attack by an outside adversary recently where the firm's technology environment was compromised," Kristin Lemkau, a JPMorgan Chase spokesperson, has told the Times. "We are confident we have closed any known access points and prevented any future access in the same way."
But as Bloomberg notes, if attackers were smart enough to compromise Chase's network, they may also have been good enough to leave backdoors into Chase's network that have yet to be detected.
Beware Russian Attribution
To date, attackers' identity and motives reportedly still aren't clear, and some U.S. officials have warned against jumping to conclusions. "We've been wrong before," an unnamed official with knowledge of the Chase investigation told the Times.
That view has been echoed by multiple information security experts. "[It's] very dangerous to start attributing blame too soon," says cybersecurity expert Alan Woodward, who's a visiting professor at the department of computing at Britain's University of Surrey. "It is extremely difficult to track down these attacks and simplistic data such as IP addresses are fraught with the risk of false attribution."
"Without solid evidence, people should be careful about attributing blame to any parties," says Dublin-based independent information security consultant Brian Honan.
In fact, advanced hackers will go out of their way to not just disguise the origins of the attack, but attempt to deflect the blame. "It is a well-known tactic of criminals or cyber spies to mount false-flag operations so that investigators start chasing spurious leads," says Woodward, who's also a cybersecurity adviser to Europol's European Cybercrime Center. "We do need to be very careful about criminals hiding behind country boundaries and it is for this reason that so much effort is going into international, cross-border collaboration, including [with] countries such as Russia, so that criminals cannot hide in one country and attack another."
Complex IT Environment
Regardless of whether a Russian gang was involved in the Chase breach, because cybercriminals aim to steal money, banks are - and will remain - a top target. "The biggest ones are often the biggest targets," John Pescatore, director of research for the SANS Institute, tells Information Security Media Group. "They've also got a more complex IT environment, lots of business partners, third-party suppliers," he says, meaning that there are many potential ways an attacker might breach a bank's network.
"Bigger isn't always better, from a security perspective," he says.
Many financial services firms also continue to rely on a large amount of legacy IT infrastructure. "Some of the legacy systems in use in banking were never intended to be networked in the way they are now," the University of Surrey's Woodward says. "However, that does mean that often, whole new systems have been built to act as an interface - and in so doing, one hopes that suitable security has been included."