National security implications for financial system cyberattacks?
Investigators have told the president they don't yet know who is behind the attacks, but a new Proofpoint report offers some clues.
As the White House ponders whether this summer's massive hack of the financial services industry was a targeted, sponsored attack by Russia or terrorists, a recently released Proofpoint study provides new details on how the "cybercrime infrastructure" of a criminal operation that targets U.S. and European banking systems can work.
The New York Times reported on Oct. 8 that President Barack Obama has asked federal investigators to find out who was behind the breach at JPMorgan Chase and apparently other financial institutions that exposed account information for an estimated 75 million customers. And Obama wants insight into the perpetrators' motives to determine whether the attack is a national security threat to critical infrastructure.
So far, investigators have been unable to answer either question definitively. According to the Times, the White House would consider the hack a possible threat to national security if the Russian government or Islamic extremists were behind it.
The Times reported in early October that the sophisticated techniques used in the JPMorgan breach basically gave the criminals a road map of the financial services provider's program and app vulnerabilities.
The Proofpoint study, on the other hand, outlines perhaps a less sophisticated and possibly more common method to target financial critical infrastructure while showing some of the capabilities, motives and tactics of hard-to-identify and often inscrutable financial services cybercriminals.
"Based on information gleaned from the attacker's control panels, such as language preferences and the language of the server names and documentation, as well as from further research, the attackers behind this operation appear to be a Russian cybercrime group whose primary motivation is financial," the Proofpoint report states.
The organization's research shows a group targeting online credentials for banks in the United States and Europe by infecting more than 500,000 personal computers with malware through the open-source WordPress blogging/content management tool. WordPress is one of the most popular blogging tools on the Internet, with tens of millions of users.
According to the study, the attackers used Qbot (also known as Qakbot) malware to infect the systems that in turn "sniffed" out electronic "conversations," which included account credentials for 800,000 online banking transactions. Proofpoint said 59 percent of the sniffed sessions represented accounts at five of the largest U.S. banks.
The attackers compromised WordPress sites by using lists of administrator logins they had bought elsewhere. They uploaded malware to legitimate sites that then infected clients that visited the sites. Many of the WordPress-run sites also produced electronic newsletters, which the attackers used to distribute infected content.
About half the infected systems ran Windows XP, showing that the defunct program is still in relatively widespread use. Microsoft ended patch and update support for Windows XP in April 2014.
The study also found that the cybercrime group used the compromised PCs to open its own cloud-based paid proxy service for other organized crime groups. The service offered a private cloud for attackers to infiltrate corporate networks.
The implications for financial services companies are sobering. The study concluded that cybercriminals have the financial and technical means to produce an escalating level of sophisticated attacks. Furthermore, those electronic assaults can use the initial attack as a foothold for future account theft, secret communications and transfers, distributed denial-of-service attacks and ransomware.