Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly dodged one of the world’s largest arrays of sophisticated detection systems for months.
The attack, an outline of which was provided by two people familiar with the firm’s investigation, started in June at the digital equivalent of JPMorgan’s front door, exploiting an overlooked flaw in one of the bank’s websites. From there, it quickly developed into any security team’s worst nightmare.
The hackers unleashed malicious programs that had been designed to penetrate the corporate network of JPMorgan -- the largest U.S. bank, which had vowed two months before the attack began to spend a quarter-billion dollars a year on cybersecurity. With sophisticated tools, the intruders reached deep into the bank’s infrastructure, silently siphoning off gigabytes of information, including customer-account data, until mid-August.
Only then did a JPMorgan team conducting a routine scan trigger an alarm. They discovered a breach, now being traced and evaluated, which investigators believe originated in Russia.
Evidence of advanced planning and the access to elaborate resources, as well as information provided by the FBI, led some members of the bank’s security team to tell outside consultants that they believed the hackers had been aided by the hidden hand of the Russian government, possibly as retribution for U.S.- imposed sanctions.
Whether the attacks prove to be opportunism by criminals seeking profit, or a state-encouraged effort to hit back at the U.S. and global financial system, the new details show a group operating with a precision of skill and technique uncommon in the almost constant computer attacks that big companies like JPMorgan experience.
The intruders used multiple zero-day strategies -- so named because they let hackers take control of target computers by previously unknown methods, giving programmers zero time to develop a patch -- and placed layers of custom malware into the network, according to the people familiar with the probe. To JPMorgan's security staff, that suggested something more than than ordinary cybercrime, these people said.
“These attackers have planned for this and they have committed the resources to this in order to defeat some of the strongest defenses and best defenders in the world,” said Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a Washington policy group. The attack shows “what a truly dedicated team of attackers can accomplish when they set their minds and their money to it.”
JPMorgan becomes the latest victim in a rash of digital assaults, including the theft of 40 million payment-card numbers from Target Corp. and denial-of-service attacks against Bank of America Corp., PNC Financial Services Group Inc. and other lenders. Though the JPMorgan breach didn’t disrupt the broader financial system, it threatens to further erode public confidence in the digital economy.
Government officials and security experts have long warned of the possibility of cyber disruptions in the financial system and other essential services and utilities. Those concerns are heightened in times of conflict. Russia’s annexation of the Crimean peninsula touched off a wave of sanctions in March that have hurt trade and threaten to send President Vladimir Putin’s economy into recession. Tensions only mounted as the conflict expanded beyond Crimea and as the U.S. and Europe deepened their protests of Russia’s actions.
Dmitry Peskov, a spokesman for Putin, dismissed the notion that Russia was behind the JPMorgan hack. “This is nonsense,” he said in a telephone interview yesterday.
The Federal Bureau of Investigation and other agencies are working on the JPMorgan probe, and House Intelligence Committee Chairman Michael Rogers has been briefed on the bank attacks.
Patricia Wexler, a company spokeswoman, declined to comment on the details of the attack. New York-based JPMorgan said yesterday that it hadn’t seen unusual fraud levels. It’s bolstering its defenses against hacking, working with authorities to determine the scope of the assault and will contact any customers who might have been affected. It has not specified what information was taken.
The unfolding investigation is taking at least two tracks, according to interviews with several people involved. U.S. law enforcement officials are focused on the possibility that the JPMorgan attack is part of a coordinated campaign that has targeted at least five banks, said a U.S. official, who asked for anonymity to discuss a continuing investigation.
Law enforcement and spy agencies monitor the hackers’ own servers, so they are capable of seeing multiple victims even before the banks themselves. Spokesmen for several big banks, including Wells Fargo & Co., Bank of America and Citigroup Inc., said they haven’t seen any indications they’re victims of the same attack as JPMorgan while they continue to scour their networks. Banks based in Europe or Asia could be among the victims, the U.S. official said. It isn’t clear whether all the attacks were successful.
Meanwhile, JPMorgan has reinforced its large security team with a small army of outside experts. They are retracing the hackers’ steps inside the network and looking for clues to the ultimate location of the stolen data.
The bank already has one of the most well-funded security teams on Wall Street. Chief Executive Officer Jamie Dimon, 58, said in April that the firm expected to boost yearly spending on cybersecurity to about $250 million by the end of 2014, with 1,000 workers dedicated to the effort. By comparison, Google Inc. has more than 400.
In June, the hackers first breached JPMorgan’s network by using a previously unknown flaw in one of its public-facing websites and then pushed further into its computer network, the two people familiar with the investigation said, requesting anonymity because the probe is confidential.
If a Web application is set up properly, an attacker would need specific knowledge of the target’s network, like its firewalls and intrusion-detection systems, to go deeper into other parts the company, said Robert Hansen, a specialist in Web application security and vice president of the advanced technology group for WhiteHat Security Inc.
“That is the sign of an extremely advanced adversary, somebody who really, really wants to get every drip of data out of that system,” Hansen said. “It sounds like they were trying to settle in for the long haul.”
The hackers then managed to gain access to the bank’s data center, collecting credentials and other information that customers give the bank and that the bank gives customers through the Internet.
Retracing the hackers’ steps, investigators found layers of malicious software designed specifically to compromise unique parts of JPMorgan’s systems. That allowed the hackers to harvest data beyond just customer passwords and account information.
They extracted the data slowly, over days and months, evading security alarms designed to catch stolen data leaving the network.
The hackers routed the attacks through computers in several countries, including Brazil, a technique designed to hide their identity. Investigators have said that much of that traffic was then redirected to a large city in Russia, according to another person familiar with the probe.
As the investigation continued, bank officials grew alarmed at how deeply the hackers had penetrated the system on multiple levels, the people said. Against the backdrop of the hostilities in Ukraine and JPMorgan’s role in enforcing sanctions against Russian assets, bank officials worried that they had become the target of state retaliation, the people said.
Some outside consultants said that the hack bears the hallmark of advanced cybercrime without any government link. The connections between criminal groups and the government can make the distinction a hard one to draw, Russian security professionals said. In some cases, government and criminal hackers have been known to use the same tools and servers.
One lesson of the attack is that determined hackers can evade even highly skilled network defenders, said Amit Yoran, a senior vice president at RSA, a security company that suffered its own breach in 2011. Identifying state-sponsored activity is difficult because there have been cases where cybercriminals and nation-state hackers have orchestrated their attacks, he said.
“If this can happen to an organization like JPMC, with their security programs and practices, it’s an important sign that this could happen to just about any organization,” Yoran said. “The threat level is so sophisticated, whether you’re talking about nation-state adversaries or cybercriminals.”