The gambit used to breach JPMorgan Chase in an attack affecting 76 million households may have also affected 13 other financial institutions.
Bloomberg, citing a person familiar with the matter, said that evidence has surfaced linking the same hackers to probes at Citigroup, HSBC, E*Trade Financial, Regions Financial Corp. (RF) and the payroll firm ADP, among others. It’s unclear what the extent of the damage is, if any, but researchers noted that there are clues here that can help cyber-professionals to better model hacker behavior.
“Crime and defense in the online world are both about coordination,” said Mike Lloyd, CTO at RedSeal Networks. “As the recent broadside of attacks across multiple financial companies shows, attackers find one weapon, then quickly re-use it, target after target, looking for anyone who has left that specific defensive gap. This forces defenders to coordinate – both externally, sharing information between erstwhile competitors, and even internally, since any weakness anywhere in the organization can be found and exploited in minutes.”
“It’s frankly not surprising,” said Michele Borovac, vice president at HyTrust, who noted in an email that companies need new strategies to control, authorize and contain the breadth of what a privileged insider can do.
“These breaches continue to show similarities to those experienced by Target and Home Depot: hackers gain access to privileged administrator accounts and then can continue on as ‘authorized’ users, allowing them to bypass traditional detection systems and gain unfettered access to data,” she said.
Sophisticated, targeted attacks like these take time and, more importantly, resources—to get the big payoff, criminals need to conduct extensive research to find the gaps in a target's network security, including identifying individuals within the organization who can be groomed, or who can be compromised with a one-off, customized social engineering approach that can result in the employee giving up credentials or unwittingly letting in backdoor malware.
“This confronts customers with a catch-22 situation in which the IT department has to be agile and quickly respond to demands of the changing business landscape, but at the same time maintain airtight network security in a growingly complex IT infrastructure,” said Martin Walter, senior director at RedSeal, in a note. “Network segmentation seems to be the holy grail of the industry to counter the majority of these sophisticated attacks. Though, segmenting these networks effectively remains a dream, without automated systems that support the design of a segmented network and proper access policy validation.”
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told Infosecurity that targeted attacks take a multi-pronged approach where the attackers go after numerous points of entry—an approach that is being extrapolated to larger purpose in the current situation.
“In much of the same way as these attacks against a single target are faced with numerous methods of possible entry, a group with the intention of getting as many victims as they can might use it against a variety of different targets,” he said. “It all depends on the goal of the attackers. In the case with the other organizations having discovered traces of the attackers, it could have come down to a numerous victim type of attack, all with the goal of gaining entry into some kind of previously thought to be secured environment.”
Of course, there’s much more to uncover when it comes to what has actually happened, and why.
“Without knowing the motivation of the attackers or the technical details of how their attack was done, we can only guess at the link between the attacker’s targets and what the final goal was,” Kujawa said.