Russian hackers attacked JPMorgan Chase & Co. and at least four other banks this month in a coordinated assault that resulted in the loss of gigabytes of customer data, according to two people familiar with the investigation.
At least one of the banks has linked the breach to Russian state-sponsored hackers, said one of the people. The FBI is investigating whether the attack could have been in retaliation for U.S.-imposed sanctions on Russia, said the second person, who also asked not to be identified, citing the continuing investigation.
The attack led to the theft of account information that could be used to drain funds, according to a U.S. official and another person briefed by law enforcement who said the victims may have included European banks. Hackers also took sensitive information from employee computers.
Most thefts of financial information involve retailers or personal computers of consumers. Stealing data from big banks is rare, because they have elaborate firewalls and security systems.
The incidents occurred at a low point in relations between the U.S. and Russia. Russian troops continue to mass on the Ukrainian border even after U.S. and European nations have hurt the Russian economy with sanctions. Russia has a history of using criminals and other proxies to hit back at adversaries in cyberspace.
"The way the Russians do it, to the extent we can see into the process, is they encourage certain targets," said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington. "The Russians typically keep open the options to do something more, and the question now is what would trigger that and what would our response be."
Investigators have determined that the attacks were routed through computers in Latin America and other regions via servers used by Russian hackers, according to people familiar with the probe.
The hackers used a software flaw known as a zero-day in at least one of the bank's websites, according to one of the people familiar with the investigation. They then plowed through layers of elaborate security to steal the data, which security specialists said appeared far beyond the capability of ordinary criminal hackers. Zero-day is a flaw known only to the hackers, allowing them to take remote command of a computer.
The sophistication of the attack and technical indicators extracted from the banks' computers provide some evidence of a government link. Still, the trail is murky enough that cyber criminals from Russia or elsewhere in Eastern Europe could be behind the assaults. Other federal agencies, including the National Security Agency, are aiding the investigation, said another person familiar with the probe.
Patricia Wexler, a JPMorgan spokeswoman, declined to comment on whether the bank was a victim of hacking. She said the company has multiple layers of defense to fend off data thefts.
"Companies of our size unfortunately experience cyber attacks nearly every day," Wexler said in an e-mail.
The bank hasn't detected any unusual activity or fraud thus far, said a person with knowledge of the matter. JPMorgan fell 16 cents to $59.58 in New York trading yesterday.
The Federal Bureau of Investigation is working with the U.S. Secret Service to determine the scope of "recently reported cyber attacks against several American financial institutions," J. Peter Donald, a spokesman for the FBI in New York, said in a statement.
Attacks on the U.S. financial sector from Russia and Eastern Europe have jumped over the last several months, according to several cyber security experts. Companies and U.S. officials are examining the possibility that the uptick is related to the conflict over Russia's behavior in Ukraine.
Authorities are looking for signs that the data stolen in the latest attack has been used to move money from accounts. No such activity had been spotted as of yesterday afternoon. The absence of fraud would lend support to the theory that the hack had a political motive, the government official said.
U.S. and European sanctions have altered the way banks are interacting with Russian entities, triggering the ire of Russian officials. In April, JPMorgan was singled out for criticism when it blocked a payment from a Russian embassy to the affiliate of a U.S.-sanctioned bank. Russia's foreign ministry called the move by New York-based JPMorgan "illegal and absurd." The U.S. bank was widely criticized by Russian commentators.
ISight Partners, a Dallas-based company that provides intelligence on cyber threats to some of the largest banks, recently warned clients of the potential for retaliatory attacks in cyberspace as sanctions tightened. Russia has used such attacks before. In conflicts with Estonia and Georgia, hackers crashed those countries' communications systems and government websites.
"Russia has a policy of reactionary attacks in relation to political contexts," said John Hultquist, a cyber-security specialist at iSight who declined to comment on the bank hacks. "When it comes to countries outside their sphere of influence, those attacks would be more surreptitious."
It couldn't be determined whether this month's data thefts resulted in any financial losses for consumers. The people familiar with the hacks didn't specify whether the stolen information included credit-card numbers or other easily sold financial data.
JPMorgan spends about $200 million each year to protect itself from cyber attacks, Chief Executive Officer Jamie Dimon wrote in a April 2013 letter to shareholders.
"This number will grow dramatically over the next three years," Dimon said. "More than 600 employees across the firm are dedicated to the task. And this number likely will grow as well."
Banks must disclose when customer data is breached, a process that can take days or weeks. Companies often don't immediately know what information was taken or who was affected. If a theft leads to losses, consumers have more protections than corporations.
Even if the U.S. government makes a direct link from the attacks to Russia, any U.S. reaction may be muted, said Lewis of CSIS. The threshold for a military response is either massive economic harm or potential loss of life, he said.
"You'll see a continued effort to strengthen the defenses of the financial sector, but there is a general reluctance to do a tit-for-tat in cyberspace," Lewis said.