[8/29/14 UPDATE: Bloomberg today reports that the JP Morgan breach began in June and exploited multiple zero-day software vulnerabilities, with the attackers running custom malware in the attack against the firm]
US financial institutions are in the bullseye again as the FBI and US Secret Service are investigating possible data breaches earlier this month at JPMorgan Chase and other US banks. This time the financial community isn't battling distributed denial-of-service (DDoS) attacks, but attacks that reportedly stole customers' bank account information.
The FBI today confirmed that it was investigating reports of attacks against multiple US financial institutions. "We are working with the United States Secret Service to determine the scope of recently reported cyber attacks against several American financial institutions," an FBI spokesperson said in a statement. "Combating cyber threats and criminals remains a top priority for the United States Government, and we are constantly working with American companies to fight cyber attacks."
JPMorgan said it has not detected any fraudulent activity thus far and is working with law enforcement to determine the scope of the breach. The financial firm is asking customers to report any suspicious activity on their accounts, and will contact anyone who was affected. "Companies of our size unfortunately experience cyber attacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels," a JPMorgan spokesperson said.
The firm expects to spend more than $250 million per year in cyber security, with some 1,000 employees dedicated to those operations by the end of this year.
Word that JPMorgan and at least one other bank had been hit in mid-August by hackers who stole gigabytes of information initially came via a Bloomberg report late yesterday and then The New York Times. The attackers reportedly exploited a zero-day vulnerability found on one of the banks' websites in a multi-stage attack that, in the case of JPMorgan, ultimately led the attackers to the sensitive banking account information. Published reports suggest the attacks came out of Russia.
Sean Mason, global IR leader at CSC, says the attack is mostly likely the handiwork of cyber criminals, not a nation-state or hacktivist group.
Financially driven cybercrime traditionally has originated out of Eastern Europe, and mainly Russia, but details about this breach so far don't sync with the typical cybercrime M.O. The absence thus far of fraudulent transaction activity in the wake of the stolen banking information, which is unusual for a typical cybercrime hack, has led to speculation about the intent of the attackers. And adding to the confusion, zero-day attacks are more often the earmark of state-sponsored attacks associated with cyber espionage.
One theory about why no banking fraud has yet been seen suggests a possible political move by Russia in retaliation for recent US sanctions against the nation for its actions in Ukraine.
Tom Kellermann, chief cybersecurity officer at Trend Micro, says world political developments indeed can yield cyber attack responses. "Geopolitics are harbingers of cyber attacks, and thus economic sanctions will be met by cyber sanctions in 2014," Kellerman says. "Regardless of whether the regime was in involved, the untouchables of Russian cyber have unleashed a cyber crime wave upon our financial institutions just in time for autumn."
But other security experts are skeptical that the reported attacks constitute an orchestrated attack campaign against US financial institutions. According to one source with insight into the attacks, published reports about the attacks inaccurately connect unrelated financial institution breaches: In fact, some of the intrusions and breaches were probably not at all related, the source notes. Banks are regularly being targeted by attackers, and several published reports this week mistakenly connected unrelated security incidents, the source says.
Sophisticated attacks don't necessarily equal Chinese hacker groups or nation-state attackers, either. "I have noticed that there's been a lot of hastiness to speculate... The 'highly sophisticated attacker' of last year is now the norm. And they usually aren't sophisticated attacks," out of China, anyway, notes J.J. Thompson, CEO of Rook Security.
[How an organization reacts to hackers infiltrating its network is becoming the key to damage control for data -- and the corporate image. Read Incident Response Now Shaping Security Operations.]
Meantime, the possibility of the heavily fortressed financial industry suffering a major breach is yet another reality-check that no one is immune to a determined attacker. There are plenty of unanswered questions, such as whether the stolen information was encrypted.
"The question to ask is how much of the data was encrypted, given it was sensitive financial information. What we have seen again and again with these types of attacks against banks is that breach prevention and threat monitoring alone will not keep the cyber criminals out," says Tsion Gonen, chief strategy officer at SafeNet. "Companies need to focus on a defense-in-depth strategy and securing the breach, and that means using data encryption as the last line of defense. That is only way to make the data useless to hackers and cyber criminals."
Bob Stratton, general partner at MACH37, cautions that concluding where the attacks came from this early in the investigation is premature. "The fact that an attack comes from someone's network does not automatically imply that that someone is the attacker," he says. "It will take some time to forensically sort this out."