In a 23-count indictment, three people -- Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein – have been charged in the Southern District of New York with hacking into financial institutions and publications to manipulate stocks, including stealing customer data from JPMorgan Chase in a massive 2014 data breach.
The trio were indicted on criminal charges that included securities fraud, identity theft and computer hacking in what amounted to a global hacking ring that infiltrated systems at numerous organizations. The Chase breach representing the “the largest theft of customer data from a U.S. financial institution in history," according to U.S. Attorney Preet Bharara, who brought charges against the three as well as a separate indictment against bitcoin exchange operator Anthony Murgio.
Prosecutors unsealed documents Tuesday, revealing that the group nabbed the information of more than 83 million of the bank's customers and those of other companies. The hackers then used the information to manipulate stocks, raking in more than $100 million. Bharara said in a release that the litany of charges “showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate.”
Referring to the operation as “ hacking as a business model,” he said the “ alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise.
“Fueled by their hacking, the defendants' criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds,” he added.
Shalon, Aaron and Orenstein had been brought up on criminal charges earlier this year for their parts in the Chase breach. Tuesday's indictment expanded the charges against them and left much of the financial and security world pros aghast at the sprawl of the cybercriminals' activities.
“The shocking size and reach of this cyber breach underscores the sophistication of today's cyber criminal enterprises and shows what security teams across all industries are up against,” Fortscale CEO Idan Tendler, who noted that hackers aren't always seeking a “quick payday.” The former commander of the 8200, the Israeli Defense Forces' cyberware division, noted that “once the initial data theft is completed, there are countless opportunities for cyber criminals to conduct targeted campaigns.”
Tripwire's Director of IT Security and Risk Strategy Tim Erlin noted in comments emailed to SCMagazine.com, “While we tend to focus on the technical tools to prevent these types of cyberattacks, these indictments are a good reminder that partnership with law enforcement can provide more traditional tools for fighting cybercrime.”
He added, “If cybercriminals aren't likely to get away with their crimes, they'll be forced to change their tactics.”
Philip Lieberman, president of Lieberman Software, said the scheme marked a challenge for corporations that extend beyond technology. “Changing a ship designed for commerce into one suitable for both trade and warfare takes time and wisdom,” said Lieberman, who called corporate culture “more powerful than capital investment” in the realm of cybersecurity. “The challenge is not the change in technology, but with the behavior of all involved.”
Tendler encouraged companies to up their prevention game. “The key for organizations is to prevent the initial breaches from occurring in the first place,” he said. “These types of attacks can be prevented, but only through aggressive monitoring of internal networks with a key emphasis on user behavior.”