U.S. officials with access to intelligence reports said the mid-August cyber attacks, made public last week, involved sophisticated attack and data exfiltration operations that required government-level intelligence work and cyber reconnaissance capabilities, an indication of Moscow government involvement.
Criminal groups are known to employ sophisticated cyber attack capabilities. However, the JPMorgan Chase attacks were gauged to be beyond the capabilities of most criminal cyber gangs.
Preliminary investigation by U.S. authorities and cyber security analysts determined that the hackers used a “zero-day” vulnerability and other sophisticated methods to penetrate the JPMorgan network. Zero-day is the term used to describe an undisclosed security flaw in software. Discovery of zero-day software holes requires in-depth intelligence and research and is a key reason Moscow state sponsorship is suspected.
The financial cyber attacks coincided with a new Russian-backed military operations in eastern Ukraine. The Pentagon said this week that Russia is supplying both military forces and sophisticated arms to pro-Russian rebels in eastern Ukraine.
The timing of the attacks appeared to be deliberate political signal from Moscow that further U.S. opposition to Russian efforts to covertly and overtly take control of Ukraine will prompt a strategic cyber attack against the United States in response.
After the United States imposed sanctions on Russia in July for its military annexation of Ukraine’s Crimea, the Russian Foreign Ministry, in a statement July 30, said the sanctions would result in “quite tangible real losses for Washington.”
The U.S. and European sanctions also targeted Russian state banks and companies and are costing Moscow dozens of billions of dollars in losses.
Computer security analysts familiar with the malware used in the attack described the attack as very sophisticated and involving composite penetration methods. One analyst compared it to the Stuxnet worm that was used by the United States and Israel to disable and destroy Iranian centrifuges by infiltrating industrial control software.
The software succeeded in breaching high-security network tools used by banks to protect financial and personal information.
Additionally, sophisticated cyber attackers are known to implant very hard to detect sleeper agent software during such attacks that would allow for future access. As a result, damage mitigation and security reinforcement often requires replacing expensive network equipment to ensure that no holes in the network can be exploited in the future.
Last year, former National Security Agency Director Mike McConnell warned that a cyber attack on the U.S. financial system could be catastrophic.
McConnell said the immediate threat is the vulnerability of the United States’ annual $14 trillion economy — $13 trillion moves of which passes through the banking system daily.
“I am personally acquainted with people who have the physical capability to break into that system and contaminate the data,” McConnell said in a speech. “If it were contaminated, banks would fail and you would have a cascading effect.”
“There are nation states with the capability” to carry out cyber attacks against bank network, but at the time doing so would be contrary to their interests, he said.
Larry Ponemon, head of cyber security think tank The Ponemon Institute, told Fox Business Channel that the JPMorgan cyber incident was not a normal malware attack.
Ponemon said the software breached JPMorgan’s core infrastructure, including its network layer that links mobile banking and trading systems.
The data theft included gigabytes of internal bank data that could be used in later cyber attacks or phishing schemes.
JPMorgan spokeswoman Patricia Wexler told reporters that bank uses “multiple layers of defense to counteract any threats and constantly monitor fraud levels.”
The FBI confirmed in a statement it was investigating the cyber attack. “We are working with the United States Secret Service to determine the scope of recently reported cyber attacks against several American financial institutions,” the Aug. 27 statement said.
The Russian hacktivist group CyberBerkut, a group that claims it stole data on several thousands clients of the Ukrainian bank Privatbank, does not appear to have the same level of sophistication as the hackers behind the JPMorgan attacks.
CyberBerkut has threatened to publicize the stolen Privatbank data unless the bank’s clients change banks.
The hacker group may have been operating covertly on behalf of the Russian government because Privatbank’s owner Igor Kolomoyskiy, who has been an important financial backers of operations against the pro-Russian rebels.
After news of the JPMorgan cyber attack surfaced in a report by Bloomberg news, several of the largest U.S. banks denied having been impacted by the cyber attack. Bank of America, the Bank of New York Mellon, Capital One, Citigroup, PNC and TIAA-CREF announced that they had not been victims of the attack.
European banks also may have been targeted in the Russian cyber attacks.
Bloomberg said U.S. officials suspect the cyber attack was retaliation for U.S. sanctions against Moscow over Ukraine.
The news agencies reported that the Russian hackers stole data from bank employees, including executives.
The JPMorgan attack highlights the vulnerability of the U.S. financial system to crippling cyber attacks.
Iranian hackers conducted cyber attacks on U.S. banks and financial institutions in 2012 and 2013. But those attacks were less sophisticated than the August bank strikes.
— Bill Gertz
August 30, 2014