Posted on Leave a comment

JPMorgan Chase security breach not what you think – military attack against key financial institutions could turn over keys to the kingdom.

image thumb21

Estonian military hackers?

Saint Basil's Cathedral in MoscowHow many times have you found interesting Russian (or Chinese) IP addresses in your IDS logs and for grins, began a simple reconnaissance on the target, probing, scanning, looking for a way in? Those that have targeted Russian addresses know the response to your attempts will be swift and brutal. Within minutes of your probes, your network will be saturated with a massive DDoS response that will quite effectively knock your network to its knees. It’s interesting to see your household network, cable TV, and phone system almost instantly lock up as the network struggled to handle the massive stream of packets the target has turned back on you. It’s an effective response which is really nothing more than a “slap on the wrist” for curious naughtiness.

When I see this sort of response during a probe I know the target is a professional. From the target’s end, they surely see your probes as an irritant, a disruption that they can easily squash while they move on to more important things – like pawning the networks of key United States financial institutions.

Although I’m disappointed that JPMorgan Chase delayed the disclosure of the breach that touched more than 83 million U.S. households (they knew about it at least four months ago), I’m even more upset at what they disclosed – that key customer financial data was *not* stolen. JPMorgan may tout the expertise of their security team, who stopped the attack before the hackers could get their mitts on customer accounts and passwords, but I see a pretty good indication that this was not what the attackers were after. At this point, there’s plenty of evidence that the attack was a government or military-sponsored endeavor, likely originating from Russia.

JPMorgan Chase buildingWe know now that JPMorgan Chase, and the (approximately) 9-10 other financial institutions that were breached (expect details of these breaches to come out within the next few weeks), were infiltrated by the same group of overseas attackers, almost certainly from Russia. Given that U.S. financial institutions employ the tightest security measures of any industry, we can also surmise that the attacks utilized, at least in part, zero-day exploits that only foreign military organizations have the means to secure. And despite American bank institution claims that the attack was for show, to prove it could be done, the data that was stolen provides strong evidence that the attacks were intended to map out and own the networks, and applications, of the vulnerable financial institutions for an extended period of time.

According to JPMorgan Chase, the attackers were embedded deep into their systems (and most likely had been inside those systems for quite some time) which means they could have taken anything they wanted. Rather than swiping customer financial information (e.g. credit card numbers, usernames, passwords, SSNs), they instead stole customer’s personal information (which could be used in further attacks, e.g. phishing) and more importantly, key information about the applications in use throughout the financial institution’s infrastructure. Granted, they may have simply stumbled upon the system information and grabbed it while the opportunity presented itself, but I think it’s more likely that this is precisely what they were after.

The importance of owning a map of a company’s network and application infrastructure cannot be underestimated. While passwords can easily be changed and additional security protections implemented in a single pass – applications cannot be changed out quite so easily. In some instances, an enterprise application installation can take years just to implement, not including the time waiting for licenses to expire, planning for system migrations and conversions, etc. With the software architecture map in hand, an attacker can begin working out new zero-day exploits which mean, despite being temporarily locked out by network protections, they effectively possess long-term ownership of the network for several years going forward.

It’s not difficult to recognize who would benefit most from long-term ownership of the networks of key American financial institutions. During wartime, there would be no better attack methodology than crushing an opponent’s financial institutions. Such actions would literally bring a country to its knees as citizens struggled to survive within an economic system that requires computerized financial systems to purchase even the most basic goods. And right now it looks like Russian holds the keys to the U.S. kingdom.