JPMorgan Chase & Co.’s own investigators have found clues that a global network of computers available for hire by sophisticated criminals was used to reroute data stolen from the bank to a major Russian city, according to people familiar with the probe.
Like street magicians using sleight of hand, the hackers tapped computers from Latin America to Asia to send commands and obscure their identity while ferrying malicious traffic past one of the most heavily guarded networks on Wall Street.
Graphic: Data Breaches in the U.S.
Bank investigators working nearly around the clock have identified what they believe to be the assault’s staging ground, called a “bulletproof” hosting platform because of its resilience to other attackers and to law enforcement, according to one of the people, who requested anonymity because of the continuing investigation. The constellation of computers was used in previous hacking attacks and is now being tapped by professional cybercriminals operating out of Eastern Europe to target banks.
The bank’s investigators are only part of a larger group in the U.S. that includes the Federal Bureau of Investigation and the National Security Agency trying to trace the origin of the computer assault. The success of the attack on JPMorgan and another this week on Home Depot Inc. and even the theft of nude photos from celebrities’ online Apple Inc. accounts highlight how hard it is to defend against increasingly sophisticated criminals.
Cybercrime operations similar to the one identified by JPMorgan investigators, notably a now-defunct one known as the Russian Business Network, have been run by powerful figures and protected by Russian authorities, said James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington.
“It’s like the mafia,” Lewis said. “If this is RBN version 2.0 or even 3.0, then the U.S. government will be very concerned because it’s been a real pest before.”
The use of a Russian-based data center is another piece of a puzzle being constructed by investigators as they chase answers to urgent questions such as the attack’s motive, the hackers’ identity, and the possibility other banks may have been attacked or probed by the same group.
The people familiar with JPMorgan’s investigation said the cybercriminals operating the global network had also aimed at other banks’ systems, though they may not have been hacked.
No evidence has surfaced that any other major U.S. bank was breached by this group. The Financial Services Information Sharing and Analysis Center, which monitors cyber threats on financial institutions, informed members on August 28 that there were no signs of a sophisticated and coordinated attack on banks, and the organization’s threat level for the banks remains unchanged.
Patricia Wexler, a spokeswoman for JPMorgan, said that fraud levels at the bank were not elevated and declined to comment further on the investigation. J. Peter Donald, a spokesman for the FBI in New York City, said the agency had no comment about the investigation or whether other banks had been targeted or breached.
JPMorgan has hired a number of cybersleuths, including some well-known for tracking hackers through the murky world of global cybercrime. Not all of them agree with the assessment about the Russian criminal data center and note that the search will continue for months and is likely to take twists and turns.
JPMorgan’s security team continues to investigate the possibility that the hackers may have been aided or at least condoned by the Russian government, possibly as retaliation for U.S.-imposed sanctions, said a second person involved in the probe.
Others trying to piece together what happened, including outside specialists hired by the bank, say they have seen nothing to suggest the Russian government directed or aided the JPMorgan attack. Instead, they said that the hackers may have been opportunistic, expecting to be shielded because of the tensions between Russia and the U.S.
Some investigators speculated the cybercriminals were hired by the Russian government in the past and may have used malware and other tactics also shared with Russian government agents.
“The working theory is that there’s a relationship with this organized-crime group linked to other state-sponsored targeted attacks, possibly including Russia,” said Darien Kindlund, director of threat research for FireEye, which is aiding in the investigation. “We aren’t ruling out the possibility that there may be tools or infrastructure tying these attacks to other state-sponsored activity.”
Though it has been weeks since the attack was discovered, the 1,000-member JPMorgan security team and a small army of outside consultants are still trying to determine whether the hackers have been ejected from the network and what damage may have been done to the bank’s infrastructure. The task is complicated because the attack was tailored to take advantage of weaknesses in JPMorgan’s network that only the criminals had identified, according to those familiar with the investigation.
The entry point was a vulnerable Web application and a Linux server behind it, according to the second person familiar with the probe. Many banks don’t monitor those servers as aggressively as other parts of their networks, and the JPMorgan attackers were able to use it as a jumping-off point, siphoning off gigabytes of data, including customer-account information, without setting off alarms. A routine scan later caught the intrusion. The bank is still trying to determine what was taken, a process that could take weeks or months, the person said.
A third person who has worked closely with the bank’s security operation said bank officials are concerned not only with what data was taken but with what could have been left in the network, such as an implant to disrupt the system.
JPMorgan was singled out in April for criticism by Russian officials when it blocked a payment from a Russian embassy to the affiliate of a U.S.-sanctioned bank. Russia’s foreign ministry called the move by JPMorgan “illegal and absurd.”
The JPMorgan attack may have been designed to send a message, said Keith Alexander, who was director of the NSA from 2005 until last March and started a cybersecurity company to sell services to U.S. banks.
If the incursion was backed by the Russian government in retaliation for sanctions imposed by the U.S. and European Union over the crisis in Ukraine, then they just said “You’re vulnerable,” Alexander said in an interview.
Dmitry Peskov, a spokesman for Russian President Vladimir Putin, dismissed the notion that Russia was behind the JPMorgan hack. “This is nonsense,” he said in a telephone interview.
The infrastructure deployed against the bank includes a network of servers in Brazil and other countries that are typically commandeered without their legitimate owners’ knowledge through hacking or fraud -- a time-consuming process. Known as hop points, those servers bounce the stolen data to other computers, making it harder for the bank’s monitoring systems to detect a pattern as data is slowly extracted. It is also difficult for investigators to trace the destination of stolen files once the breach is discovered.
Using sophisticated digital forensics techniques, some of the bank’s own investigators managed to pierce the veil, said the first person familiar with the probe. The link to Russia could provide a road map for investigators, but it also could mask the hackers’ true identity. That is because the infrastructure could have been used by a variety of criminals.
It may be impossible to ultimately determine whether the JPMorgan hackers were aided or encouraged by the Russian government. Still, Russia has tightly monitored the Internet, surpassing even China, Lewis said, suggesting some complicity by Russian authorities.
“All the Internet traffic in the country flows through FSB servers,” said Lewis, referring to Russia’s Federal Security Service, the principal security agency of the Russian Federation.
“It’s just impossible for something this big and prolonged to occur without the Russian government knowing,” he said. “Did the Russian government know this was going on? Yes. Did they direct it? We don’t know.”