An FBI investigation into a breach at J.P. Morgan Chase & Co. is reportedly probing similar attacks at as many as four other U.S. banks and may have Russian or Eastern European ties.
The FBI confirmed on Wednesday that it is determining the scope of the attacks against several American financial institutions. Citing several people close to the investigation, The Wall Street Journal reported that hackers appear to have originally breached J.P. Morgan's network via an employee's personal computer. The sources also cautioned that it is too early to tell who was behind the attacks.
Early reports about the extent of the attacks, the hacking techniques and scope lack enough detail to glean any insight into the motivation of the attackers, said solution providers. Some experts point to the Russian government due to the timing of the attacks with eroding relations between Washington and Moscow over the situation in the Ukraine. But security experts at solution providers said financially motivated cybercrime, which is deeply rooted in Eastern Europe and Russia, is the more likely culprit.
Determined attackers will find a way in no matter how many security layers are in place, said Rick Doten, chief information security officer at Digital Management, a Bethesda, Md.-based solution provider. Investigators will likely be looking at the techniques used and the sophistication of the malware, Doten said.
"This says something about the big picture because the financial industry is considered, by, far to have the best protections in place," Doten said. "If they are getting hit, what does that tell you about the state of everyone else's security?"
The financial services sector is the most prepared to combat targeted cyberattacks and is spending heavily on security, disproportionately to other industries, said Rick Dakin, CEO, co-founder, and chief security strategist at New York-based security consultancy and risk assessment firm Coalfire. Dakin said the industry has a strong information-sharing element, but more needs to be done to enable banks to share threat information with federal authorities without fear of penalties from regulators.
"[Financial services] are actually innovators not only on the security side, but also on the fraud side of the equation," Dakin said. "They are integrating their business intelligence with their security intelligence far more than anybody else."
The U.S. Department of Homeland Security is sharing threat information with key managed service providers under a program designed to bolster communication about threats so protection measures can be put in place. The U.S. financial sector is considered a critical infrastructure, and DHS, the U.S. Secret Service and the FBI are increasingly involved in probing attacks on often complicated and interconnected networks. The goal is to thwart and contain attacks quickly before they could harm the stability of the stock market and the nation's economy, said security experts.
The DHS also is developing sectorwide risk assessments in partnership with the private sector as part of implementation plans established by the National Institute of Standards and Technology. NIST issued its Cybersecurity Framework earlier this year to get private sector firms to meet a set of minimum security standards.
Federal authorities and private sector security firms claimed victory in June when they took down the notorious Gameover Zeus botnet, which has been a serious threat to the banking industry. Gameover Zeus also was used by cybercriminals behind the CryptoLocker ransomware attacks that struck many businesses. It also was disabled. Both threats have since re-emerged in different forms.
A survey of security professionals at critical infrastructure facilities found insider mistakes and other serious security lapses exposing data and critical systems to attackers. The focus at many organizations, including some financial sector firms is on minimizing downtime and not necessarily security, the study found. The study, conducted by the Ponemon Institute, also found that organizations are not, or only partially, vetting contractors, vendors and other third parties to make sure they have high security standards.
PUBLISHED AUG. 28, 2014