by James Rosone
Cyber Saturday
Tampa, Florida
JP Morgan Chase
Dennis Hall placed his Starbucks latte on his desk as he pulled out his laptop from his backpack and began the process of linking up to the corporate network. Between his three computer monitors, keyboard, and mouse, he was now officially ready for the day. This was the one Saturday a month he worked in his security department’s weekend rotation.
Dennis loved writing code; he was fascinated with the concept of cyberattacks. To him, the ability of a single person or group to penetrate a company and completely run amok in their systems was amazing. He had been with JP Morgan for more than twelve years and had watched the organization evolve and grow, especially after the 2008 financial meltdown. He had just finished college the year before the collapse with a bachelor’s degree in computer science and network administration, and he counted himself lucky to have landed the job when he had. When he’d started at the bank, he’d quickly risen through the ranks as a knowledgeable cyber leader, eventually becoming one of the department heads in charge of the bank’s cyber defenses.
Logging into his system, he went through his initial checklist of things he usually performed when he arrived at work. He perused the incident logs and incident reports, looking for anything suspicious that one of his other teammates might have found. He immediately spotted a red flag in something that one of the analysts had posted a couple just a few minutes ago. Seeing that no one had fully looked into it yet, he grabbed the incident report to see what was going on.
As he read the report more closely, he noticed something unusual. An employee from the credit card side of the bank had gained access to the bank’s records system.
“Hmm…you’re not allowed to be in there,” he thought. He immediately searched to see what the unauthorized person was looking for. Following the trail of the intrusion, he shadowed each click the person had made, taking him deeper and deeper into the credit card records—from records of individual credit card programs, to individual state records, to entire branch records. Then, to his horror, he discovered that the individual was systematically deleting millions of credit card records.
Dennis tried to intervene at once. However, as he tried to put a wrench into the intruder’s actions, he saw that they had moved from the current live records to the backup files stored at Iron Mountain, their off-site backup vendor. “How the hell is this guy accessing all of these records?” he wondered. No one should have that level of access.
Dennis reached for his phone and hit the speed dial button to call the corporate security desk, which was manned twenty-four hours a day.
“Security, this is Jim,” came a stern voice on the other end.
“Jim, this is Dennis at the insider threat desk. We have an emergency, and I need you to physically stop an employee who is currently inside the New York city office at once! He’s sitting at desk 18E 12W.”
“Oh, wow. OK, we’ll send a couple of people up there now and lock his access card out,” replied Jim. He immediately started to talk to a few other people nearby.
“Jim, you have to make sure this guy doesn’t escape the building, and call the police,” said Dennis urgently, praying the man on the other end could still hear him. “I’m calling the FBI and Secret Service. This is huge. Don’t let him get away!” He stayed on the phone just long enough to make sure his message had been received, and then he hung up the phone and prepared to place an additional call to his own boss.
Standing at his desk, he waved for one of the other employees manning the twenty-four-hour office to come over. While talking to his boss, he pointed at his monitors. The employee bent down and looked at what was going on, and her eyes grew wide as saucers.
“Holy crap!” she exclaimed.
Dennis desperately tried to cut the guy’s access to the system off, but nothing was working.
“What do you mean, you can’t cut his access off?” his boss shouted angrily over the phone.
“He’s got admin level access. I have no idea how he obtained it, but his access is above my own. I think it’s even above yours,” Dennis explained.
“I’m heading into the office now. Make sure security detains this guy, you understand?” The call ended abruptly.
A few minutes went by, and then Jim from security in New York called him. “Dennis, we’ve got a security team at that desk location, but there’s no one there. It’s empty. I’ve got my guys locking down the entire building, and the police are on the way. Can you see if he’s still on the computer? Could he have remoted into this terminal?”
Dennis’s mind was racing, trying to figure out what was happening. Maybe the intruder had hacked into this employee’s account and was remotely logging in using a stolen admin login. Dennis looked at the admin code and quickly tracked it down to a bank’s Chief Information Security Officer, his boss’s boss.
“How in the world could these hackers have gotten the CISO’s admin code?” Dennis thought. His mind was practically exploding.
*******
Washington, D.C.
White House, Situation Room
“What do we know about this cyberattack taking place at JP Morgan?” asked Josh Morgan, President Foss’s Chief of Staff. He wanted to get up to speed on things before the President joined the meeting.
Kevin Hampton, the Treasury Secretary, spoke up first. “It’s a disaster is what it is. Whoever these hackers are, they managed to get inside the bank’s credit card records, and they systematically wiped them out. They not only deleted the records, they managed to destroy the backup records at Iron Mountain, which is no small feat.”
Josh looked at the Director of Homeland Security and the FBI Director for an explanation. Maria Nelson jumped in. “We’re still gathering all the facts, but what we know right now is that someone coopted a work terminal in the New York office and remoted in from an unknown location to initiate the hack. Once they had gained access to the system, the intruder used the Chief Information Security Officer’s administrative access, which gave them complete access to the entire bank’s system. They then used that access to wipe out every trace of credit data on the roughly 43 million Americans who had a Chase credit card. At the time of the hack, those accounts had balances of roughly $274 billion.”
Josh sat up a little straighter in his chair as he heard the number, then crunched his eyebrows a bit. “Are you saying JP Morgan just lost $274 billion?” he asked incredulously. “What happened to the money? Are the individuals whose accounts were affected still liable for their balance?”
“That’s what I’m talking about, yes,” Nelson confirmed. “As of three hours ago, JP Morgan effectively lost the records of $274 billion. It’s gone. With no electronic record at the bank or their off-site locations, they have no way of saying how much each individual person actually owes. When word gets out of how severe this hack was and how much money essentially just evaporated at the bank, it’ll collapse. Their stock will tank.”
Molly Emerson, the DHS Director, added, “This is much bigger than just JP Morgan. If this could happen to them, who’s to say it can’t or won’t happen to the other banks? For all we know, the hackers could have placed additional viruses or trojan horses in the Iron Mountain facility, just waiting to be activated. This could be the first domino to fall in the complete monetary collapse of our economy.”
Kevin Hampton, the Treasury Secretary, moaned and rubbed his head.
Nelson shot him a look as if to say, “You don’t have to be so dramatic.” She cleared her throat, then offered, “We think we might have a lead on who perpetrated the attack.”
All eyes turned to her.
“You’d better be absolutely sure about that before you tell the President,” Josh asserted. “He’s going to want to respond to whoever did this to us, and I’m pretty certain he’ll be using the military to do it.”
Before Maria Nelson had a chance to reply, the President walked in, along with Secretary of Defense Jim Castle and
Admiral Meyer, the Chairman of the Joint Chiefs.
Signaling for everyone to take their seats, the President said, “I assume the news about this hack is pretty bad for you to have called everyone in like this.”
Josh looked at the President and nodded. “I’m afraid it is, Mr. President. I believe Secretary Hampton should probably give you the initial brief before Homeland and the FBI present what they know.”
Hampton looked like he was going to be sick, but he nodded and then proceeded to get the President up to speed on what had transpired. The President, for his part, kept his poker face on. Then Homeland spoke, followed by the FBI.
Sitting back in his chair, President Wally Foss looked at the ceiling, not saying much, just thinking. Then he sat forward, placing his hands on the desk in front of him as he made eye contact with the Treasury Secretary. “Kevin, I understand the electronic records at Iron Mountain were destroyed along with the bank’s internal electronic records, but if I’m not mistaken, there are printed copies of all the statements of these accounts kept as well. Surely the bank can reconstruct the accounts based on the written copies,” he offered.
Secretary Hampton just shook his head. “That was true as of a few years ago, Mr. President. However, as part of many of the banks’ efforts to ‘go green’ and cut costs, many of the financial institutions made several changes to their data storage procedures. First, they began storing data on their own electronic databases as opposed to using paper copies. Second, many of them have moved most of their databases to the cloud, thus cutting storage and security costs tremendously, since the cloud providers provide their own protection. Some banks use Iron Mountain as an additional safety mechanism to back up data on digital storage farms, but again, those are not physical copies. A few banks use a hybrid function where their records are backed up to the cloud at set intervals. If JP Morgan had been using a hybrid function, then yes, there would still be an alternative digital set of their records. However, when I spoke with the CIO at JP Morgan before coming to this meeting, he told me they had transitioned entirely to the cloud three months ago. With Iron Mountain gone, and their records at the cloud provider gone, they have no way of reconstructing them.”
“OK, I’m not understanding something, then. I could understand how the records in the cloud were hacked and deleted—someone used the CISO’s admin password to go into their files at the cloud provider and deleted them all. But how was that same individual able to delete the backups at Iron Mountain? Aren’t there procedures in place to make sure something like this couldn’t happen?” the President demanded.
“I can answer this question,” FBI Director Maria Nelson said. She had previously been the Science and Technology Director at DHS, so she had a deep IT background. The President nodded for her to go ahead. “Several decades ago, Iron Mountain, along with several other cloud storage companies, began to build out a series of hardened facilities to handle large-scale data storage. In some cases, they were even acquiring decommissioned ICBM silos and turning them into enormous server farms, just like the three-acre server farm the FBI has in Clarksburg, West Virginia.
“The JP Morgan backups were stored at two separate locations. One is located in northern New York, and the second is in an old ICBM silo in Kansas. Both of these locations are impervious to EMPs, earthquakes, fire, flood and any other natural disaster. When the bank transmits their backup to Iron Mountain, it takes nearly eighteen hours to complete because of the size of the files, so it’s done on a Saturday afternoon. When the data hits the New York site, Iron Mountain then promulgates the data to the second backup site at the same time. That is how the hacker was able to delete the entire backup. When the transfer started from the bank to Iron Mountain, the hacker was able to ride the connection from one location to the other and then delete everything. We’ve asked Iron Mountain to immediately stop any concurrent backups until we can figure out how deep and wide this penetration within the banking sector is,” she explained.
Foss turned his head slightly and let out a soft sigh. “OK, clearly the damage is bad, and as of right now, it appears it’s permanent unless something else turns up. What I want to know is, how is this going to affect the bank, and what can be done about it? Then I want to know who our suspects are, so we can figure out an appropriate response.”
Secretary Hampton replied, “I’ve been thinking about how this is going to impact the bank, Mr. President, and there are multiple ways to look at it. JP Morgan essentially just lost $274 billion, and there is no way the bank is going to make up that kind of loss, so it’s going to have to be written off. The problem is the bank’s valuation is roughly $99.62 billion, so the loss is over two and a half times the institution’s value—essentially, it’s instantly going to be insolvent. This problem is huge, Mr. President. We aren’t just talking about people’s credit cards being affected. If the bank is dissolved, we’re talking about tens of millions of people’s bank accounts being wiped out, along with their mortgages, savings, and worse, all the investment accounts tied to the bank would also be affected. This is going to tangentially impact the majority of the country, and it could lead to a complete collapse of our financial system.”
Hampton continued, “You see, banks lend money to each other, especially investment banks, which often share debts, loans, and investments with each other. These financial institutions have everything from mutual funds and EFTs to kids’ 529 college funds. Because of the bank’s current financial situation, their entire portfolio would have to be sold off at a discount, which means a lot of people are going to lose money. That’s not to mention all the money people had in savings accounts at the bank or the value of the bank’s stock itself. All of that will be at zero once word of this gets out. To make matters worse, Americans will likely fear this could happen at their own bank and will rush financial institutions all over the country just like the beginning of the Great Depression to pull their money out and make sure they don’t also lose everything they own. Do you understand the scope of the problem, Mr. President?”
“I think we need to get Wendy Oliver from the Fed over here,” the President ordered, tilting his head toward Josh to make it happen. “We need to figure this out before we leave this room, or it’s going to be massive panic before the end of the day. What are we doing to make sure this information doesn’t get out?” he asked. The gravity of the situation had now fully set in for him.
FBI Director Maria Nelson answered. “I’ve had my agents detain everyone involved who has any knowledge of what’s happened for the time being. Right now, we’ve told them they’re helping us figure out how this happened, and thus far, they’re going along with that and have been a big help. Unfortunately, though, we can only hold them for so long before some of them start to protest.”
The President nodded. He knew Director Nelson hated to use the FBI to hold American citizens without charges, but thankfully she’d recognized that it was for the greater good to keep this under wraps until they figured out what to do next. If this got out to the news before they had a plan in place, it would cause a mass panic.
“OK, we’ll resume that discussion when Wendy arrives. Until then, I want to know who our suspects are.”
DHS Director Molly Emerson spoke up. “The CISO, Preet Jindal, is of Indian-American descent, so we immediately suspected him. However, he came back clean. That still didn’t explain away how his admin code had been obtained and used. It was his code that ultimately led to this catastrophe, so we dug deeper into his family to see what we could find. We managed to get a FISA warrant issued twenty minutes after we’d learned it was his credentials used in the attack. Using the warrant, we grabbed his entire electronic profile and that of his family, along with everyone he’s been in contact with that in any way looked suspicious.
“This search led us to his wife, Aarushi. While Preet is a second-generation American, his wife was born in Mumbai and still has extensive family back in India. Preet and his wife met during a trip he made to vi
sit family some twenty-six years ago. They’ve been married now for twenty-three years and have five children: three boys and two girls, ranging from twenty-one to sixteen. Their eldest son is currently serving in the Air Force as a linguist at the NSA. Their second son is in the Army, and he’s currently part of 81st Infantry Brigade, which, ironically, is part of the ground force currently in the Bay of Bengal. Their other children are exempt from military service while the older two are currently serving.”
“Hmm,” said the President, in a tone that said, “Could we please speed this up?”
Molly flipped a page on her notepad, then continued. “The wife, Aarushi, has two brothers serving in the Indian Army. One was a colonel who served in Siberia—he was killed last October. Her second brother perished in the battle of St. Petersburg. Shortly after his death, she made contact with someone on an Indian chat board we regularly monitor. Combing through the chats and activity, we learned that she apparently met this person a couple of times in person. We used the Google geotracking on her phone to place her at several locations we’ve had under surveillance as known meetup locations for Indian intelligence. We believe it was at one of these meetings that she was recruited to their cause and then passed her husband’s admin credentials to them.”
“OK, so where is this person?” the President insisted.
“We have her under surveillance right now,” FBI Director Nelson answered. “She’s still at home with her family, and she hasn’t tried to leave yet or done anything suspicious or out of the ordinary. Do you want us to grab her right now?” she asked.
“No, not yet,” said the President. “We need to sort through things here first before we grab her. Taking her into custody is going to lead to speculation, and until we have a plan in place, we can’t risk this information getting out.”
Moments later, the Fed Chairman, Wendy Oliver, walked in. Seeing that she was late to the party, she plopped down at her seat next to Hampton. “I’m sorry I was late in getting here—traffic was brutal. I have, however, been on the phone with my team to discuss this problem, and I’ve read the quick blotter the FBI and DHS sent over to me. Can you guys take a minute to get me caught up?” she asked as she pulled out a pen and pad of paper.