Bloomberg reports that JPMorgan Chase and at least one other bank were breached in mid-August 2014 by Russian hackers who stole gigabytes of sensitive data, including savings and checking account information as well as information on bank employees.
The FBI is investigating whether the attacks may have been launched in retaliation for U.S. government sanctions -- Bloomberg notes that in April 2014, JPMorgan blocked a Russian embassy's payment to the affiliate of a U.S.-sanctioned bank, an action that Russia's foreign ministry described at the time as "illegal and absurd."
"Russia has a policy of reactionary attacks in relation to political contexts," iSight Partners manager John Hultquist told Bloomberg. "When it comes to countries outside their sphere of influence, those attacks would be more surreptitious."
Still, the New York Times, which says a total of at least five banks were hit, says it's not clear at this point whether the hackers were motivated by financial profit or cyber espionage. Security experts told the Times that the fact that the attacks seemed to be aimed at stealing account information rather than disrupting service indicates that they were likely not state-sponsored.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Bob Stratton, general partner at MACH37, told eSecurity Planet by email that it's too early to jump to conclusions about who might have been responsible for the breach. "The trickiest part of defending networks in the modern age is determining the actual, rather than the apparent, source of an attack," he said. "It will take time to forensically sort this out. While undoubtedly frustrating to those trying to cover the story in the present moment, network attacks, like airplane crashes, can take a while for proper investigation and attribution."
"Companies of our size unfortunately experience cyber attacks nearly every day," JPMorgan spokesperson Patricia Wexler told the Times. "We have multiple layers of defense to counteract any threats and constantly monitor fraud levels."
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told eSecurity Planet by email that various sources are saying that the breach was accomplished either via a zero day exploit used against an Internet-facing system, or via the exploitation of an unsecured employee to access JPMorgan's secured network through a virtual private network. "Either way, these are two of the biggest issues that organizations, be it corporate or government, face today when it comes to cyber security," he said.
"At the end of the day, serious attackers, not just cyber punks who try to steal credit card information, will go to great lengths and spend immense amounts of money in order to reach their target, employing not only lessons learned from online criminals over the last 20 years but also decades worth of espionage and social engineering tactics," Kujawa added. "The best defense against these attackers is to fortify cyber defenses on every front, the education and access control of any users and finally an awareness and preparedness for any and all attacks that might be encountered."
Triumfant CEO John Prisco said by email that very few enterprises are sufficiently equipped to defend themselves against any and all cyber attacks. "In fact, I would say that more than 90 percent of all organizations are completely vulnerable; they simply do not have the tools or the staff to deal with this kind of attack," he said.
"We can all expect to see many more breaches of this nature, and we can expect that it will continue to happen until people come to the realization that they need stronger defenses than anti-virus alone," Prisco added.
RedSeal Networks CTO Mike Lloyd said organizations also need to 'war-game' on an ongoing basis to make sure new vulnerabilities aren't missed. "The next stage in the arms race, for both attackers and defenders, is automation -- not just searching for gaps, but figuring out the consequences of those gaps, in much the same way that generals study a battlefield before the battle starts," he said.
eSecurity Planet recently offered a list of five do's and don'ts for organizations to consider following a data breach.