The hackers who raided the data banks of JPMorgan Chase & Co. used computers now linked to possible attacks on at least 13 more financial companies, according to a person familiar with the investigation.
More than a month after the JPMorgan hack was made public, it's now clear that the perpetrators had attempted a broad campaign aimed at a payroll-servicing company, a popular stock brokerage and some of the world's biggest banks. The depth of the JPMorgan breach and the scope of the intended targets have sent a shudder through Wall Street, even if the attackers had mixed success.
The group set its sights on companies including Citigroup Inc., HSBC Holdings PLC, E*Trade Financial Corp., Regions Financial Corp. and Automatic Data Processing Inc., the payroll firm, according to several people familiar with those companies' internal probes who said the signs of intruders were found in the computers or logged by protective technology that effectively stopped the hackers.
U.S. intelligence agencies, attorneys general from at least two states, as well as federal prosecutors including from New York are conducting their own investigations, reflecting the urgent concern around the JPMorgan breach, worries over the precise motive of the attack and its ripples throughout the financial system.
The number of companies said to have been at least probed by the hackers has ballooned rapidly. When the JPMorgan hack emerged on Aug. 27, U.S. officials said the attackers had targeted at least four other financial companies. The total number has risen from 10 to 14 in just the last few days, said the person close to the investigation.
U.S. enforcement officials aren't yet certain they have a full list of the probed companies, according to a second person familiar with the investigation, and the number may grow. Both people disclosed the preliminary findings on the condition of anonymity, saying they were not authorized to speak about a live investigation.
The slow pace of information gathering underscores the rocky co-operation between law enforcement agencies and companies that are facing increasingly sophisticated hackers, even after more than a year of efforts by the White House and private groups to improve communications.
The hackers "know what happens is once the first one gets made public, everybody starts to look and close the doors," said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization. "It's, 'let's do this all at once against lots of them before they start telling each other.'"
Information from companies is being collected in multiple locations using at least two different approaches. In one approach, the Financial Services Information and Analysis Center, known as FS-ISAC, circulated JPMorgan's data to help other companies assess whether they had been attacked. The information included Internet protocol addresses linked to servers that the hackers had used to communicate with the bank's computers and then to extract data.
In another approach, U.S. officials sent letters to dozens of financial companies, asking them to report warning signs, such as whether their computers connected to the same IP addresses.
The lists of impacted companies from the two groups don't entirely match up. HSBC, Citigroup and ADP haven't sent back a response to the letters, though they have found some warning signs, according to the first person familiar with the probe. That suggests the list of targeted companies will be greater than 14.
"HSBC takes its security and the security of its customers very seriously," said Rob Sherman, a spokesman for the London– based bank. "We continue to monitor the situation closely, and are in touch with law enforcement and financial industry groups that collect and communicate cybersecurity information."
Fidelity Investments, the mutual-fund company, is among firms targeted by the hackers, the Financial Times reported. The company has "no indication that any Fidelity customer sites, accounts, information, services or systems were affected," said Vincent Loporchio, a spokesman.
"Fidelity has a range of safeguards and multiple layers of security in place to protect customer accounts and information, our sites, and systems," he said.
At least one company – E*Trade – was targeted last year and subsequently brought in cybersecurity specialists to help scour its networks and assess the potential damage, said the second person, who asked not to be identified because of the continuing investigation.
Thayer Fox, a spokesman for E*Trade, declined to comment.
The possibility that a company was attacked by the same group months earlier could widen the scope of the investigation – or the earlier action could prove to be work of different hackers, the first person familiar with the investigation said. Many of the targets have found evidence that their defences prevented their systems from being breached and data stolen.
The financial industry is considered among the best in terms of sharing attack data and FS-ISAC has been copied by other industries, including retailers. Yet the JPMorgan incident shows the process can still be challenging, hindered by a widespread concern among companies that they will be open to lawsuits or brand damage if a hack is exposed. The FBI and other agencies have no authority to compel disclosure and some companies may choose to keep attacks, even failed ones, to themselves.
The hackers tried to break into Citigroup this year but failed, according to a person familiar with the incident at the bank. Janis Tarter, a spokeswoman for Citigroup, declined to comment.
Jeremy King, a spokesman for Birmingham, Alabama-based Regions, said the company consistently monitors for any unusual activity and "at this point, we have no evidence of any breach."
The data on the hackers from the JPMorgan breach also included information about malware taken from the bank's network. As companies scoured computer logs, some found that their servers were connecting to the IP addresses. Others found warning signs in firewalls and other devices designed to stop intrusions.
Some of those connections may amount to legitimate Internet traffic rather than hacking. Investigators are following each lead, which can consume weeks, even months, and is not yet complete.
"Although ADP threat management experts observed Internet– based traffic from those criminals allegedly reported to have recently attacked JPMC, we have not observed any issues associated with such scanning of our defenses," ADP said in a statement.
Some investigators on the JPMorgan case have pointed to evidence the hackers are working from Russia. JPMorgan has told consultants working with the bank that it saw signs the Russian government may have had a hand in the attack, which resulted in loss of customer information from 76 million households and 7 million small businesses.