Feds probing possible hacking incident at JP Morgan Chase

On Wednesday, Bloomberg reported that the FBI, the US Secret Service, and even the NSA are investigating an incident alleged to have occurred in mid-August on JPMorgan Chase’s (JPMC) network.

According to the news agency, Russian hackers breached the bank’s defenses and compromised gigabytes of data, but exact nature of that data remains unknown. However, Bloomberg reported that one of their anonymous sources said that the attackers “grabbed sensitive data from the files of bank employees, including executives.”

Bloomberg’s sources are individuals familiar with the probe, but all of them declined to be named for the record. They said that the attackers targeted a zero-day vulnerability in one of the applications used on JPMorgan Chase’s websites.

“They then plowed through layers of elaborate security to steal the data, a feat security experts said appeared far beyond the capability of ordinary criminal hackers,” one source said.

Investigators are looking for links between the JPMorgan Chase attack and a similar attack that impacted one other unnamed financial institution, with recent compromises at European financial firms that leveraged the same application vulnerability. When asked, investigators would not discuss the nature of the vulnerability or the software it impacted.

The New York Times reported that up to four banks may have been breached, likely by the same group, but their sources were also anonymous people familiar with the investigation.

There’s speculation that the attacks are reactionary, based on the sanctions placed on Russia due to their actions in Ukraine.

“Russia has a policy of reactionary attacks in relation to political contexts,” iSight’s John Hultquist told Bloomberg.

From the Bloomberg report:

"The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a government link. Still, the trail is muddy enough that investigators are considering the possibility that it’s cyber criminals from Russia or elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said."

Word of the data breach comes shortly after JPMorgan Chase customers were targeted by a wave of Phishing emails gunning for their usernames and passwords.

The campaign, discovered by researchers at Proofpoint, leads victims to a fake login portal, which delivers banking malware in the form of a Java update after a username and password are entered into the form.

“What’s notable is that this is one of the first times we’ve seen an attacker include exploit code on a credential phishing page. Usually we see attackers use a Traffic Distribution System (TDS) to direct traffic to either a phishing site OR a exploit site, but not both,” Proofpoint’s blog on the attack explained.

In a statement, JPMorgan Chase, speaking about the alleged Russian hackers, noted that organizations of their size experience attacks each day, and they use “multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

However, layered defenses will only go so far. Seculert’s CTO and Chief Researcher, Aviv Raff, commented that nothing will prevent an attack 100 percent of the time.

“Much like the Target breach, where over 11 gigabytes of private data was stolen, the JPMorgan breach shows again that there is no way to 100% prevent an attack. It’s up to the enterprise to use the best tools to detect the compromised devices as soon as possible, before the data is stolen and the incident becomes a breach,” Raff said.