WASHINGTON — Russian hackers attacked the U.S. financial system in mid-August, infiltrating and stealing data from JPMorgan Chase and at least one other bank, an incident the FBI is investigating as a possible retaliation for government-sponsored sanctions, according to two people familiar with the probe.
The attack resulted in the loss of gigabytes of sensitive data, and authorities are investigating whether recent infiltrations of major European banks using a similar vulnerability are also linked to the attack, one of the people said.
In one case, the hackers used a zero-day vulnerability in one of the banks’ websites, then plowed through layers of elaborate security to steal the data, a feat several security experts said appeared far beyond the capability of ordinary criminal hackers. The incidents occurred at a low point in relations between Russia and the West, as Russian troops continue to mass on the Ukrainian border and the West tightens sanctions aimed at crippling Russian companies, including some of the country’s most important banks.
The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a government link, but the trail is muddy enough that investigators are considering the possibility that it’s cyber criminals from Russia or even elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said.
“The way the Russians do it, to the extent we can see into the process, is they encourage certain targets,” said James Lewis, director of the Strategic Technologies program at the Center for Strategic and International Studies in Washington. “The Russians typically keep open the options to do something more, and the question now is what would trigger that and what would our response be.”
J. Peter Donald, an FBI spokesman in New York, declined to comment.
“Companies of our size unfortunately experience cyber attacks nearly every day,” Patricia Wexler, a JPMorgan spokeswoman, said in an email. “We have multiple, layers of defense to counteract any threats and constantly monitor fraud levels.”
Attacks on the U.S. financial sector from Russia and Eastern Europe have jumped over that last several months, according to several cyber security experts, and both companies and U.S. officials are examining the possibility that the uptick is related to the conflict over Russia’s behavior in Ukraine.
In at least one of the attacks, the hackers grabbed sensitive data from the files of bank employees, including executives, according to a fourth person briefed on the probe, who, like the other individuals with knowledge of the matter, declined to divulge the name of victims other than JPMorgan. Some data related to customers may also have been accessed, the person said.
U.S. and European sanctions have altered the way that Western banks interact with Russian entities, resulting over the last several months in actions that have raised the ire of Russian officials. In April, JPMorgan was singled out for withering criticism when it blocked a payment from a Russian embassy to the affiliate of a U.S.-sanctioned bank. Russia’s foreign ministry called the move by JP Morgan “illegal and absurd,” and the U.S. bank was widely criticized by Russian commentators.
ISight Partners, a Dallas-based company that provides intelligence on cyber threats to some of the largest banks, recently warned clients of the potential for retaliatory attacks in cyberspace as Western sanctions tightened.
Russia has used such attacks before, in conflicts with Estonia and Georgia, when hackers crashed those countries’ communications systems and government websites.
“Russia has a policy of reactionary attacks in relation to political contexts,” said John Hultquist, an iSight expert who would not confirm direct knowledge of the attack. “When it comes to countries outside their sphere of influence, those attacks would be more surreptitious.”
With assistance from Keri Geiger and Hugh Son in New York.