Did stealing small business data motivate JPMorgan hackers?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Pres­i­dent Oba­ma can only guess at the motives of the elite hack­ing ring that spent much of this sum­mer prob­ing for routes to hack into in at least five major U.S. finan­cial insti­tu­tions – before hit­ting the jack­pot with JPMor­gan Chase.

We now know, thanks to deep report­ing by The New York Times, that one of the same web address­es used to crack into JPMor­gan turned up in attempts to breach Cit­i­group, E*Trade Finan­cial, HSBC and ADP.

That said, author­i­ties have been unable to iden­ti­fy the hack­ers, nor will they say whether greed or polit­i­cal ide­ol­o­gy moti­vat­ed the attacks, accord­ing to the Times’ story.

Based on what has been dis­closed about these attacks, polit­i­cal moti­va­tion seems less like­ly than high-scale thiev­ery, accord­ing to a con­sen­sus of sev­er­al secu­ri­ty experts inter­viewed by ThirdCertainty.

For one thing, the sheer vol­ume of stolen data pil­fered over a peri­od of sev­er­al weeks—contact infor­ma­tion for 76 mil­lion house­holds and 7 mil­lion small businesses—suggests the hack­ers used mul­ti­ple sources of extraction.

Hack­ers don’t use large pipes, though they may be using mul­ti­ple sources of attack,” observes Pier­lui­gi Stel­la, CTO of Net­work Box USA. “To trans­fer that much data takes time,—a lot of time.”

Chris Cole­man, CEO of Look­ing­glass Cyber Solu­tions, said he “leans towards a sophis­ti­cat­ed crim­i­nal orga­ni­za­tion over a nation-state” as the cul­prits. But Cole­man quick­ly adds, “We need to real­ize that these enti­ties can coex­ist, and that there is noth­ing pre­vent­ing them [from] shar­ing poten­tial access. There­fore, attri­bu­tion is speculative.”

Noth­ing we know about this hack­ing ring sug­gests they might be copy­cats of Izz ad-Din al-Qas­sam Cyber Fight­ers DDoS, the Iran­ian hack­ing col­lec­tive behind waves of denial-of-ser­vice attacks that bedev­iled all of the major U.S. banks from late 2012 through mid-2013.

It’s not like­ly this is tied to anoth­er anti-U.S. plot, since any­one with access to an inter­nal sys­tem want­i­ng to do more harm would have lever­aged that access to plant log­ic bombs and mal­ware,” says Ron Gula, CEO, Ten­able Net­work Security.

Small busi­ness­es exposed

So what do the thieves have in mind for all those bank cus­tomers? JPMor­gan empha­sized that only cus­tomer names and some email address­es were stolen. How­ev­er, the big pay­day could come when crim­i­nals use the stolen infor­ma­tion to fuel coor­di­nat­ed hacks of JPMor­gan patrons.

JPMorgan’s 7 mil­lion small busi­ness patrons are of acute con­cern. That’s because we’ve cre­at­ed a vast new tier of crim­i­nal oppor­tu­ni­ties by push­ing the glob­al sup­ply chain into the Inter­net cloud.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

The hack­ers behind the Tar­get breach phished their way onto the com­put­er of an HVAC sys­tem con­trac­tor and then used that infect­ed small busi­ness PC as a foothold to get deep into Target’s POS net­work, where troves of cus­tomer trans­ac­tion data moved in unen­crypt­ed form.

When small­er busi­ness­es are breached, there is nat­u­ral­ly a neg­a­tive trick­ling effect to the entire glob­al sup­ply chain net­work,” says Joshua Dou­glas, CTO at Raytheon Cyber Prod­ucts. “The eas­i­est place to tar­get a cyber­at­tack is at the weak­est link in the glob­al sup­ply chain, which can be at small­er busi­ness enterprises.”

The small busi­ness account infor­ma­tion sucked from JPMor­gan rep­re­sent­ed one tenth of the gang’s take, observes Cole­man, Look­ing­glass’ CEO.

Whether this was an inten­tion­al tar­get or whether this was just part of the over­all take is dif­fi­cult to say,” Cole­man says. “What we do know is that many small busi­ness­es are very chal­lenged in pro­tect­ing their dig­i­tal infra­struc­ture. So if I was a bad guy, I would use this infor­ma­tion for the pri­or­i­ti­za­tion and tar­get­ing of small busi­ness­es to max­i­mize my return.”

Kurt Baum­gart­ner, Kasper­sky Lab prin­ci­pal secu­ri­ty researcher, believes much of the stolen data will end up being deployed as part of “tra­di­tion­al, bor­ing, phishing.”

The real risk here is the mass mailed social engi­neer­ing mas­ter­pieces from finan­cial­ly moti­vat­ed cyber­crim­i­nals using com­pa­ny let­ter­head, instruct­ing the user to update their pass­word or per­son­al data and pro­vid­ing links to click,” Baum­gart­ner says.

More on what to do if you’re a JPMor­gan Chase patron

9 tips for JPMor­gan Chase bank cus­tomers and businesses.

Phish­ing pro­tec­tion tips



Posted in Cybersecurity, Data Breach, News & Analysis