Tag Archives: cyberattack

Prosecutors Announce More Charges in JPMorgan Cyberattack

Billing it as the largest hacking case ever uncovered, federal prosecutors in Manhattan on Tuesday described a global, multiyear scheme to steal information on 100 million customers of a dozen companies in the United States and use the data to advance stock manipulation activities, illicit online gambling and fraud.

Prosecutors said they uncovered the complex scheme in their investigation of a computer hacking last year atJPMorgan Chase that involved the breach of contact information, such as emails, from 83 million customer accounts.

Before long, investigators had uncovered a trail of 75 shell companies and a hacking scheme in which the three defendants used 30 false passports from 17 different countries. The group’s activity goes back as far as 2007, and it has reaped “hundreds of millions of dollars in illicit proceeds,” some of it hidden in Swiss accounts and other bank accounts, prosecutors said.

The data breaches “were breathtaking in their scope and size,” said Preet Bharara, the United States attorney for the Southern District of New York, at a news conference on Tuesday. The activity, described as a 21-century twist on tried-and-true criminal activity, unveiled the existence of “a brave new world of hacking for profit,” perhaps signaling the next frontier in securities fraud.

The accused — two Israeli citizens and a United States citizen — face 23 counts of fraud and other illegal activities, according to an indictment unsealed Tuesday that added hacking to manipulation and fraud charges that were filed against the three in July. The charges are the first directly linked to the JPMorgan hack.

Two of the accused, Gery Shalon and Ziv Orenstein, remain in custody awaiting extradition from Israel after being arrested in July. A third defendant, Joshua Aaron, the American, is believed to be in Russia. The Federal Bureau of Investigation has issued a “wanted notice” for him “for his alleged involvement in a scheme to hack major American companies in order to acquire customer contact information.”

A separate indictment on Tuesday outlined seven charges against Anthony Murgio, a Florida man previously accused of running an unlicensed Bitcoin exchange. That exchange was owned by Mr. Shalon, whom prosecutors described Tuesday as the founder and leader of the sprawling criminal enterprise.

Lawyers for the four men could not immediately be reached.

Another man facing fraud charges, Yuri Lebedev, has not been charged with hacking. Mr. Bharara said on Tuesday “there are discussions between the parties.”

Prosecutors charged that the group led by Mr. Shalon hacked seven financial institutions and two newspapers to get contact information with which they could advance their pump-and-dump stock manipulation scheme. They “took the classic stock fraud scheme and brought it into the cyber age,” Mr. Bharara said.

Prosecutors said the group was involved in a broad array of activities, including processing payments for illegal pharmaceutical suppliers, running illegal online casinos and owning an unlicensed Bitcoin exchange.

Nearly all the activities “relied for their success on computer hacking and other cybercrimes,” prosecutors said on Tuesday.

According to the indictment, the three used a rented computer server based in Egypt to try hacking into customer databases at the brokerage firms TD Ameritrade and Fidelity Investments as well as JPMorgan. The ring also gained access to a computer network at what was called “Victim 8,” or Dow Jones, publisher of The Wall Street Journal, containing up to 10 million customer email addresses, prosecutors said.


Separately, federal prosecutors in Atlanta on Tuesday announced charges against Mr. Shalon, Mr. Aaron and an unnamed defendant in the late-2013 attacks on E-Trade Financial Corporation and Scottrade Financial Services, both major online brokers. The 10 charges include aggravated identity theft, computer fraud and wire fraud.

Prosecutors in Atlanta said they had uncovered online chats in which Mr. Shalon and an unnamed hacker discussed their plans to use stolen customer contact information to build their own brokerage database for peddling stocks to investors.

The New York indictment also charges the three men with hacking two software development companies to obtain information to advance their online gambling activities, and they targeted a market intelligence firm to support their card-processing activities.

The men operated at least 12 unlawful Internet casinos and marketed them to customers in the United States through extensive email promotions. The casinos generated “hundreds of millions of dollars in unlawful income,” prosecutors said, at least $1 million in profits a month.

JPMorgan confirmed on Tuesday that it was identified as “Victim 1” in the superseding indictment.

“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” the bank said in a statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”

On Tuesday, E-Trade Financial, based in New York, said it was attacked in late 2013 and found no evidence that sensitive financial information had been compromised. It added that contact information for some 31,000 customers may have been exposed.

“Security is a top priority, and we focus a significant amount of time and energy to help keep our customers’ data and information safe and secure,” E-Trade said in a statement.

Fidelity, based in Boston, said, “We have confirmed with the F.B.I. that there is no indication that our customers were affected.”

In a statement, Scottrade said, “We continue to work closely with the authorities by providing any and all information and resources we can to support their investigation and prosecution of the criminals.” Scottrade, based in St. Louis, previously said 4.6 million client accounts were targeted.

Dow Jones said in a statement on Tuesday, “The government’s investigation is ongoing, and we continue to cooperate with law enforcement.”

Tagged , , , , ,

Apple’s App Store hit by malware attack in China

Apple has said it is taking steps to remove a malicious program found in a number of applications used by owners of iPhones and iPads in China.

It is thought to be the first large-scale attack on Apple’s App Store.

The US tech giant said hackers had embedded a malicious code into the apps by persuading developers to use a counterfeit version of the firm’s own software.

The program called XcodeGhost allows hackers to collect data from devices.

The infected applications include many used by iPhone and iPad owners in China such as Tencent’s hugely popular WeChat app, a music downloading app and an Uber-like car hailing app.

A spokeswoman said the apps had now been removed.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email.

“We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

‘No data theft’

On its official WeChat blog, Tencent said that the security issue affects an older version of the app – WeChat 6.2.5 and the newer versions were not impacted.

It added that an initial investigation showed that no data theft or leakage of user information had occurred.

Cyber security firm Palo Alto Networks said on Friday that potentially hundreds of millions of users were impacted by the infected apps.

“We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” the firm said on its website.

But Wee Teck Loo, head of consumer electronics at market research firm Euromonitor International said he does not see any major impact on the sale of Apple products despite the presence of this malware.

“It is definitely embarrassing for Apple but the reality is that malware is a persistent problem since the days of PCs and the problem will multiply as the number of mobile devices explodes from 1.4 billion units in 2015 to 1.8 billion in 2020,” he told the BBC.

In fact, consumers are less cautious on mobile devices than on PCs, he added.

“In emerging markets like China or Vietnam, mobile devices are their first connected product and security is taken for granted,” he said.

“Consumers in emerging markets are also less protective of privacy and security issues,” said Mr Wee.

Earlier this month, login names and passwords for more than 225,000 Apple accounts were stolen by cyber-thieves in China.

It was uncovered by security firm Palo Alto Networks while investigating suspicious activity on many Apple devices. It found a malicious software family that targets unlocked iPhones.

The majority of people affected were in China.

Tagged , , , ,

Pentagon Email System Is Back Online After Cyberattack

The Joint Chiefs of Staff’s unclassified email system is back online, defense officials tell NBC News, more than two weeks after it was the target of a cyberattack believed to have been carried out by Russian hackers.

Pentagon officials told NBC News the Joint Chiefs email system was restored Sunday, following an intensive “scrub” meant to eliminate any potential malware that may have been implanted. Additional security measures were also installed, the officials said. The system was originally scheduled to be back online Friday.

The “highly sophisticated” cyberattack is believed to have occurred sometime around July 25 and affected about 4,000 military and civilian personnel who work for the Joint Chiefs, officials had told NBC News last week. The officials insist no classified information was compromised or stolen during the attack on the unclassified email system.

Officials said it appears the intrusion was the result of what’s known as “spear phishing” — emails that look legitimate but are loaded with links that download malicious software. At least one Pentagon or military user violated protocols and security requirements by clicking into an unknown email source, the officials said.

Despite their firm belief that “Russians” carried out the attack, defense officials still cannot confirm whether the cyberattack was sanctioned by the Russian government or carried out by independent hackers.

Tagged , , , , , ,

Anthem Hacking Points to Security Vulnerability of Health Care Industry

The cyberattack on Anthem, one of the nation’s largest health insurers, points to the vulnerability of health care companies, which security specialists say are behind other industries in protecting sensitive personal information.

Experts said the information was vulnerable because Anthem did not take steps, like protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside of the database.

The hackers gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive.

Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past Chinese hackers have shown an interest in going after health care companies. A securities industry consultant who requested anonymity because the investigation was continuing said there were suspicions the hackers might have been working with the backing of a foreign government, or with people with ties to a foreign government.


A 9-year-old boy received a free flu vaccination at an event sponsored by the company in Sacramento, Calif., in 2013. CreditRich Pedroncelli/Associated Press

The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee.

“This is one of the worst breaches I have ever seen,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. “These people knew what they were doing and recognized there was a treasure trove here, and I think they are going to use it to engage in very sophisticated kinds ofidentity theft.”

Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database. The request — or query — by the hackers appears so far to have been for financial information only. Anthem officials say that medical information in insurance claims shared with doctors and hospitals — like whether a customer was treated for substance abuse, for example — does not appear to have been taken in the attack.

“We’re positive that the rogue query did not have medical data in it,” said Thomas Miller, Anthem’s chief information officer. The people who gained access to the database “consciously selected what they selected.”

The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is now trying to determine whether there were other requests that it did not detect, a process that could take several more weeks.

Mr. Miller said Anthem and other health care companies had become increasingly aware of the criminal value of the information they have, in light of the large cyberattacks against financial service companies like JPMorgan Chase or retailers like Target.

“People have known for a long time financial information has its security needs,” he said. Anthem, he said, had doubled its investment in this area over the last four years and was actively considering encrypting its internal database as well as taking other steps to improve its security.

Anthem operates health plans under numerous brands, including Anthem Blue Cross, Anthem Blue Cross/Blue Shield, Blue Cross and Blue Shield of Georgia and Empire Blue Cross Blue Shield.

While experts like Mr. Stephens said the hackers might not have been particularly interested in the medical information available in Anthem’s database, the company’s decision to make the breach public quickly means that it is early in the investigation into exactly what happened and what information may have been compromised. “You can spend months doing the forensics,” said Fred Cate, a law professor and cybersecurity expert at Indiana University.

While he praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” he cautioned that company officials might not know the scope of the attack at this point.

Still, Mr. Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. “As a general matter, huge breaches often result in less harm than targeted breaches,” he said. “The notion that someone’s poring over this data is highly unlikely.”

The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. F.B.I. officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.


Joseph Swedish, chief executive of Anthem, a major health insurer, at the company’s offices in Indianapolis last year.CreditA J Mast for The New York Times

But experts say health organizations like Anthem are likely to be vulnerable targets because they have been slower to adopt measures like keeping personal information in separate databases that can be closed off in an attack. They “are generally less secure than financial service companies who have the same type of customer data,” said Avivah Litan, an analyst for Gartner who specializes in cybersecurity.

Last summer’s attack on JPMorgan Chase, for example, compromised the personal information of 83 million households and small businesses, but the breach was limited to nonfinancial information like addresses and phone numbers because the bank’s more sensitive information was walled off in a way the hackers could not penetrate.

Anthem’s fundamental mistake was to assume that information within its database was secure, said John Kindervag, an analyst with Forrester Research, and thus not apply the same protective standards the company uses when sending data to a doctor’s office. “All cybercrime is an inside job,” he said, because the criminals are able to penetrate a database from the outside and act as an insider in gaining access to data, which is what occurred in the Anthem breach.

Current federal privacy regulations, and the industry standard, call for encrypting information that is being sent from the database. Health insurance companies frequently share information with doctors, hospitals and others. In fact, the sharing of medical records is encouraged by the federal government.

While the health industry has not previously experienced the large-scale breaches that have plagued retailers like Target and Home Depot, there have been smaller attacks. Statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services say there have been 740 major health care breaches affecting 29 million people over the last five years.

Katherine Keefe, global focus group leader for breach response services at Beazley, which underwrites cyberliability policies, said health care companies were attractive targets to hackers because of the wealth of sensitive personal information they maintained in their networks. She said the information that health providers maintain about consumers tended to be more valuable on the black market than the credit card information that is often stolen from on a retailer.

She said the combination of Social Security information and medical histories was a valuable commodity to criminals. The combination is enough for some of Anthem’s customers to become victims of identity theft or email phishing schemes in which criminals try to trick unsuspecting people into providing their credit card information.

Stolen medical information could also be used to make false insurance claims.

“The value to a criminal of having a full set of medical information on a person can go for $40 to $50 on the street. By contrast, a credit card number is often worth $4 or $5,” Ms. Keefe said.

Tagged , , , , , , ,