The long game: How hackers spent months pulling bank data from JPMorgan
The electronic attack on JPMorgan Chase’s network, now under investigation by federal law enforcement, apparently spanned months, according to a report by Bloomberg News. Starting in June, hackers used multiple custom-crafted bits of malware to infiltrate the bank’s infrastructure and slowly shipped bits of bank transaction data back out through computers in several countries before it was sent onward to Russia.
The attack, which went on for more than two months before being detected by JPMorgan in a security scan, bears the fingerprints of similar long-game attacks against corporate targets by cybercriminals from Eastern Europe, some of whom have developed capabilities more advanced than state-sponsored hackers. While the details obtained by Bloomberg’s Jordan Robertson and Michael Riley are sparse, the information provided by their sources is consistent with attacks on a number of European banks earlier this year.
While the FBI and National Security Agency are reportedly investigating whether the attack came from Russian state-sponsored hackers—or at least state-sanctioned ones—in retaliation for sanctions against Russia, making that connection will be difficult at best. It seems more likely, based on recent security reports, that the attacks were criminal in nature—but relied on tools and techniques that may have a mixed provenance, using methods honed in attacks on other banks and on government targets for financial gain.
Anatomy of a long-game hack
The JPMorgan attackers gained entry by exploiting a security flaw in one of the company’s websites. From there, they were able to penetrate the bank’s data center and gain access to systems with account data, Bloomberg reports, all the while using tools that indicated they had gained knowledge about the company’s internal systems.
Using custom-crafted malware, the hackers then moved laterally within JPMorgan’s data center to other systems and gained access to systems with data on customer banking transactions. Additional malware began transmitting some of this data back to a command and control network with servers in multiple countries, including Brazil. Those servers then relayed data back to a computer in “a large city in Russia,” according to a Bloomberg source.
Because of the multiple layers of the attack and the use of custom “zero-day” code in each of them, Bloomberg’s sources said that JPMorgan’s security team believed it was the target of “something more than ordinary cybercrime.” But such sophisticated attacks have already become the hallmark of Eastern European electronic crime rings, which frequently use custom code developed specifically to stay under the radar of target companies for long periods. The recent attacks on Nieman-Marcus, Target, and other retailers are examples of such long-game hacks that infiltrated corporate networks with malware designed specifically for their systems (in those cases, by attacking point-of-sale systems).
The sophistication of these criminal attacks is in some cases superior to hacks undertaken by state-financed hackers. In a discussion with Ars last year, Trend Micro Chief Technology Officer Raimund Genes said that the alleged Chinese government-sponsored attacks on The New York Times and other media outlets had, in his view, been uncovered largely because they lacked the finesse found in Eastern European cybercrime rings.
Russian Internet crime rings have for some time been accused of acting as a sort of “cyber-militia” for the Russian government, coordinated loosely through indirect ties to Russian law enforcement, intelligence, and military organizations. There may also be some cross-pollination between the Russian government and criminal hacking communities; researchers at security software provider SentinelOne’s Sentinel Labs in July found “intelligence agency grade” carrier malware designed to target government agencies being used by Russian cybercriminals to deliver crimeware to targets.
In April, JPMorgan Chase CEO Jamie Dimon told reporters on an earnings call that while the bank’s Web servers were not vulnerable to the Heartbleed encryption bug, JPMorgan was bracing for continuous threats similar to Heartbleed. “This is going to be non-stop,” he said. In a letter to shareholders that same month, Dimon said that the company was increasing its investment in network security.
“By the end of 2014, we will have spent more than $250 million annually with approximately 1,000 people focused on the effort,” Dimon wrote. “This effort will continue to grow exponentially over the years. We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Dimon admitted that there was no end in sight to the threat from determined, well-financed attackers. “It is going to be a continual and likely never-ending battle to stay ahead of it—and, unfortunately, not every battle will be won,” he wrote. It would seem that Dimon’s prediction was prescient.