Was Snake Malware Used in the JP Morgan Hack?

This is an important question because it can tell us a lot about who the hackers were and how they breached the bank’s security. The attack certainly bears all the earmarks of Snake. The multi-level infection, its ability to remain undetected, and its method of attack look all too familiar to me (see my discussion on this here ). The F.B.I. has given little information on this case so security experts have had to do a lot of speculating. It has been reported that the hack was only found by good fortune two months after it had first started or it would have remained undetected much longer. Recent reports indicate that other banks may have been targeted and, if Snake is, indeed, behind this, some may have no idea that they have even been a victim.

Variants of Snake have been around for a while. As I reported on August 18th, I was suspicious as to why a discussion of Snake was pulled from the Black Hat Conference. Certainly, someone was uncomfortable with whatever new revelations about it were going to be made. At that time, I speculated that the government may not have wanted to give out information to the variant’s creators until they, the government, had shored up their own systems. This is a common scenario. However, these bank hacks add a different dimension to all of this. It now seems possible that the F.B.I. was already investigating the breach at JP Morgan and other banks and did not want to tip off the creators of this Snake variant. Why? Because Snake comes with a kill switch. If those attackers gathering data know that they have been found out, they can remotely remove all traces of the program from an infected network, giving investigators little to go on in determining how the hack began and who began it in the first place.

In fact, until last month, no one really knew how Snake could even get into a system. That all changed when Kaspersky published its report on a new Snake variant on August 7th. This report showed that Snake entered a network in stages. The first stage of the attack they called, “Epic Turla”, the intermediate stage was labeled, “Cobra Carbon”, and the final, completed attack was given the name of Snake. This new variant had been detected two days earlier on August 5th. According to Kaspersky, the exploit begins in one of the following ways:

  • Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
  • Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR
  • Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
  • Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers

Back on August 19th, about a week before the latest breach was announced, JP Morgan customers received a security notice cautioning them to beware of emails that seem to come from JP Morgan employees. These emails mostly targeted small and medium sized businesses and looked authentic. Here is the actual phishing email: (click to zoom)


The bank claimed that this was nothing more than a sophisticated phishing attack. It was, however, traced to Russia. In the world of security, nothing is simple and clear cut. Did these phishing attacks begin about the time that the main breach started? In other words, were they used to begin a more complex information gathering attack? Were they used to learn about the security architecture? We won’t know this for a while. We know that this phishing campaign installed the Dyre Trojan which was first discovered back in June, about the same time the JP Morgan breach began. Avivah Litan, an analyst at Gartner, does not believe the phishing emails were a coincidence. As he remarked in an article on the Bank Info Security website, “Almost all of these attacks start with spear phishing. So, yes. It could be related, and probably is.”

We do know that if a Snake variant was used in the main breach, it is most likely of Russian origin. Also, according to some reports, it was not only used to gather data but to delete and alter certain bank records. (It would be informative to see which records were altered and which were deleted.) This is certainly not how most financially motivated hacks operate. In fact, as of this writing, there is no evidence of financial motivation. This unusual activity, plus the expense of the multiple zero-day exploits that were used, almost certainly indicate that some nation state was behind the attack. If this is true, all signs point to Russia.

But why would the Russian government be interested in JP Morgan? This reason can be found in a complaint that Russia filed against JP Morgan back in April when it accused the bank of blocking fund transfers. JP Morgan eventually allowed the transfer, but it was clear from the threats made by Moscow that any sanctions imposed upon it from the West would not go unanswered. Additionally, Russia could not have been happy that JP Morgan’s investments in Russia had fallen by 13% as of March 31st. According the JP Morgan’s website, “The bank is one of the leading players on the Russian financial market and continues to develop new business lines for the benefit of its clients.” If this is true, any sanctions or reduced investments emanating from it could have serious consequences for the Russian economy. It is possible that Russia wanted to show just what it was capable of doing in order to pressure financial institutions to think twice about imposing any sanctions. If it is found that Citigroup and Bank of America, two other leading Russian investors, have been similarly targeted, I think this scenario would be more likely.

An initial report from the Wall Street Journal claimed that the attackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer. This news was reported from a person close to the investigation. Others claimed the attack exploited a flaw in the JP Morgan website. My money is on this being a user issue. Why? Because JP Morgan is probably the most secure private enterprise in the US, if not the world. In an interview with Bloomberg, Mike Riley called JP Morgan “the digital equivalent of Fort Knox.” They spend a quarter of a billion dollars on security and have 1,000 of the best security experts in the business working for them. Is it likely that they would have overlooked a flaw in their website? No, it is far more likely that some remote user simply opened the phishing email without thinking much about it and the rest was history. According to an article on the E-Commerce Times website, “an overwhelming 80 percent of corporate security professionals and IT administrators indicated in a recent survey that ‘end user carelessness’ constituted the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks.”

The success of this attack has sent shockwaves through the security community. It drives home the point that no company and no company information is ultimately secure. In his interview on Bloomberg, Mike Riley noted that “JP Morgan buys every single security tool on the market.” That should probably be amended to “every software security tool”. There are, in fact, other security solutions that could have kept JP Morgan’s data safe.  InZero Systems, for example, has based its architecture on the fact that all software security is susceptible to hacking. It has, therefore, developed an architecture based on hardware separation. Any personal computer, or mobile device can be set up with two distinct and separated operating systems, one for work and one for personal use. They are set up in such a way as to prevent careless user behavior from crossing over and compromising sensitive company information. It is such paradigm-shifting architecture that must be looked for as a solution to the ever-increasing number of attacks that are ruining the reputation of some of the largest enterprises.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s