The FBI is investigating what appears to be a series of co-ordinated cyber attacks at JP Morgan Chase and at least four other financial institutions, according to US reports.
The attacks have fuelled concerns about the cyber vulnerability of financial institutions and markets, which a top US expert has predicted will be the next evolution of cyber attacks.
Initial investigations indicate that Russian hackers are responsible for the attacks, which resulted in the loss of gigabytes of sensitive data, said Bloomberg, citing security experts.
As several security firms conduct forensic investigations, it remains unclear whether the attackers were financially or politically motivated.
Some reports have speculated that the attacks may be linked to US sanctions against the Russian government, while others said the attacks may be linked to recent cyber raids at European banks.
But Amichai Shulman, chief technology officer at security firm Imperva, said the fact that there has been no financial loss indicates the attacks could be politically motivated.
“I find it odd that someone who was actually able to break into a bank is not using it for making immediate profit,” he said.
According to Shulman, this means that either information on financial losses is being withheld, or that the attacks were politically motivated.
But he said that did not necessarily mean that the attacks were linked to US sanctions against Russia, because a large proportion of financial hacking has come from Eastern Europe in recent years.
more on cyber attacks
- Why are UK micro businesses unprepared for cyber attack?
- Target cyber attack not isolated, warns FBI
- Info sharing key to cyber defence, says financial services firm
- Continuous monitoring key to retail cyber security, says Ponemon
- UK finance industry launches cyber security framework
- UK government launches cyber security support scheme
JP Morgan said in a statement that large companies experience cyber attacks nearly every day.
"We have multiple layers of defence to counteract any threats and constantly monitor fraud levels,” the statement said.
Financial sector needs military-level security
But security experts said the ability to overcome the typical financial defence-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity.
“These capabilities are in the realm of nation-state capabilities,” said Philip Lieberman, chief executive of security firm Lieberman Software.
“JP Morgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and processes to shield themselves from nation states’ ability to access their systems at will,” he said.
According to Lieberman, most financial services providers have little to no protection from nation-state attacks and are not willing to spend the money to protect themselves.
He said companies in the sector also lack the senior leadership capable of redesigning their organisations for secure operation against nation states.
“The US financial sector has much better security than other areas of the world by far, but without significant rethinking and redesign, it will struggle to survive against nation states,” said Lieberman.
He said the lesson to be learned is that the financial services sector needs to raise its cyber security game to move up from commercial security to military-level security.
Understanding and blocking cyber attacks
But other commentators expect to see a renewed and continued effort to strengthen the defences of the financial sector, according to reports.
News of the latest cyber attacks on financial institutions comes just days after a global watchdog issued a warning about the growing danger of cyber attacks on financial markets.
The International Organisation of Securities Commissions (Iosco) said that companies and regulators around the world need to address the “uneven” response to the threat of cyber attacks.
Iosco chairman Greg Medcraft predicted that the next big financial shock will come from cyber space, following a succession of attacks on financial players.
Commenting on the Iosco warning, Tim Erlin, director of security and risk at Tripwire, said financial organisations should be paying attention to the attack trends in the retail space.
“The widespread use of malware across point-of-sale systems has exposed a clear gap in information security practices in that market, but finance and retail are fundamentally connected.
“It should be no surprise when similar techniques migrate to adjacent space. These are highly organised criminal groups, motivated by financial gain. We shouldn’t be surprised when they turn their attention to the banks,” he said.
According to Erlin, protection has to start by modelling the threat, understanding where the money is, and how it might be accessed, then closing the holes that might allow access before someone breaks in.
Alex Fidgen, group director at MWR InfoSecurity, said cyber attacks represent an increasing risk to all critical markets, not only the financial sector.
“What is most interesting about the financial markets is that they are so demonstrably interconnected, and therefore an effect felt in one market might quickly spread to interconnected markets and organisations,” he said.
Fidgen predicted that as the use of cyber attacks matures, it will be increasingly used by countries to help support and execute their geo-political objectives.
“This will bring into scope a larger multiple of targets within a variety of different markets,” he said.
Structured risk assessment
The CBEST scheme launched by the Bank of England is an excellent example of formal assessment structure being implemented by regulators to gauge and assess risk, said Fidgen.
“We would expect to see similar schemes and structure implemented across many other markets over the short to medium term,” he said.
Badly constructed software will not only cause systems to crash, corrupt data and make recovery difficult, it will also leave numerous security holes
Bill Curtis, Cast
Earlier this week, software testing company Cast said research has shown that finance and retail applications are the most susceptible to hacking attacks because of data input by customers.
A study by the firm – covering 705 million lines of code used by 1,316 enterprise applications – found that 69% of finance applications and 70% of retail applications have data input validation violations.
This enables hackers to use buffer overflow attacks to run malicious code, which is put into the input field where customers enter their details.
Bill Curtis, chief scientist at Cast, said: “Badly constructed software will not only cause systems to crash, corrupt data and make recovery difficult, it will also leave numerous security holes.”
In September 2013, Scott Borg, chief of the US Cyber Consequences Unit, predicted that manipulation of international financial markets will be the next evolution of cyber crime.
“But there is no limit to the money that can be made by manipulating financial markets,” he said, speaking at an international policy roundtable on cyber security.
By taking a position in the market and then conducting a cyber attack to discredit a company, criminals can make an almost infinite amount of money, said Borg.
“Even if the beneficiaries are identified, they can always say they took the position based on a rumour in the market,” he said.
Borg, who predicted in 2002 the shift from mass disruption cyber attacks to professional, organised cyber crime, said the next shift to financial markets will transform the field of cyber security.