Did stealing small business data motivate JPMorgan hackers?
By Byron Acohido, ThirdCertainty
President Obama can only guess at the motives of the elite hacking ring that spent much of this summer probing for routes to hack into in at least five major U.S. financial institutions – before hitting the jackpot with JPMorgan Chase.
We now know, thanks to deep reporting by The New York Times, that one of the same web addresses used to crack into JPMorgan turned up in attempts to breach Citigroup, E*Trade Financial, HSBC and ADP.
That said, authorities have been unable to identify the hackers, nor will they say whether greed or political ideology motivated the attacks, according to the Times’ story.
Based on what has been disclosed about these attacks, political motivation seems less likely than high-scale thievery, according to a consensus of several security experts interviewed by ThirdCertainty.
For one thing, the sheer volume of stolen data pilfered over a period of several weeks—contact information for 76 million households and 7 million small businesses—suggests the hackers used multiple sources of extraction.
“Hackers don’t use large pipes, though they may be using multiple sources of attack,” observes Pierluigi Stella, CTO of Network Box USA. “To transfer that much data takes time,—a lot of time.”
Chris Coleman, CEO of Lookingglass Cyber Solutions, said he “leans towards a sophisticated criminal organization over a nation-state” as the culprits. But Coleman quickly adds, “We need to realize that these entities can coexist, and that there is nothing preventing them [from] sharing potential access. Therefore, attribution is speculative.”
Nothing we know about this hacking ring suggests they might be copycats of Izz ad-Din al-Qassam Cyber Fighters DDoS, the Iranian hacking collective behind waves of denial-of-service attacks that bedeviled all of the major U.S. banks from late 2012 through mid-2013.
“It’s not likely this is tied to another anti-U.S. plot, since anyone with access to an internal system wanting to do more harm would have leveraged that access to plant logic bombs and malware,” says Ron Gula, CEO, Tenable Network Security.
Small businesses exposed
So what do the thieves have in mind for all those bank customers? JPMorgan emphasized that only customer names and some email addresses were stolen. However, the big payday could come when criminals use the stolen information to fuel coordinated hacks of JPMorgan patrons.
JPMorgan’s 7 million small business patrons are of acute concern. That’s because we’ve created a vast new tier of criminal opportunities by pushing the global supply chain into the Internet cloud.
The hackers behind the Target breach phished their way onto the computer of an HVAC system contractor and then used that infected small business PC as a foothold to get deep into Target’s POS network, where troves of customer transaction data moved in unencrypted form.
“When smaller businesses are breached, there is naturally a negative trickling effect to the entire global supply chain network,” says Joshua Douglas, CTO at Raytheon Cyber Products. “The easiest place to target a cyberattack is at the weakest link in the global supply chain, which can be at smaller business enterprises.”
The small business account information sucked from JPMorgan represented one tenth of the gang’s take, observes Coleman, Lookingglass’ CEO.
“Whether this was an intentional target or whether this was just part of the overall take is difficult to say,” Coleman says. “What we do know is that many small businesses are very challenged in protecting their digital infrastructure. So if I was a bad guy, I would use this information for the prioritization and targeting of small businesses to maximize my return.”
Kurt Baumgartner, Kaspersky Lab principal security researcher, believes much of the stolen data will end up being deployed as part of “traditional, boring, phishing.”
“The real risk here is the mass mailed social engineering masterpieces from financially motivated cybercriminals using company letterhead, instructing the user to update their password or personal data and providing links to click,” Baumgartner says.
More on what to do if you’re a JPMorgan Chase patron