After a year of speculation about who was behind the massive attack against JPMorgan Chase in 2014, the U.S. Department of Justice is now naming names. The U.S. District Court for the Southern District of New York unsealed an indictment today naming Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein as participating in the sprawling cyber-criminal enterprise that impacted millions of Americans and stole at least $100 million.
Both Salon and Orenstein are citizens and residents of Israel, while Aaron is a U.S. citizen who resided in the United States, Israel and Russia. The 23-count indictment against the three men describes attacks against multiple firms, including Victim-1, which is JPMorgan. The other victims include Dow Jones, Scottrade and eTrade.
According to the Department of Justice, from approximately 2012 to mid-2015, Shalon working with Aaron and others orchestrated the U.S. financial sector hacks, stealing personal information of more than 100 million customers of the victim companies. The single largest victim of the attacks is JPMorgan, which was first suspected of being attacked in August 2014.
JPMorgan only publicly admitted that it had been attacked in a disclosure made in an 8-K U.S. Securities and Exchange Commission (SEC) filing in October, months after the attack. In its filing, JPMorgan reported that 76 million households and an additional 7 million small businesses were affected by the attack.
“As set forth in the indictment, these three defendants perpetrated one of the largest thefts of financial-related data in history,” Attorney General Loretta E. Lynch said in a statement.
The attack against JPMorgan was not a one-off, simple affair. Rather, the indictment alleged that the attackers worked through at least 75 shell companies as well as myriad bank and brokerage accounts around the world to launder and manipulate funds.
The Justice Department indictment provides granular detail on how the attackers were able to execute their criminal enterprise. Of particular note is the allegation that in April 2014 Shalon made limited use of the infamous Heartbleed OpenSSL vulnerability. The Heartbleed vulnerability, which is a flaw in the open-source OpenSSL cryptographic library, was first disclosed on April 7, 2014.
“In April 2014, Shalon and his co-conspirators unlawfully accessed the network of Victim-2 by exploiting the so-called ‘Heartbleed’ vulnerability, which had, at that time, just been widely identified as a previously unrecognized security vulnerability that existed in computer network servers on a widespread basis,” the indictment states. “While they succeeded in gaining access to Victim-2’s network, shortly after they did so, Victim-2 recognized and repaired the Heartbleed vulnerability in its systems.”
Shalon, Orenstein and Aaron were first publicly identified in an FBI press release in July about charges made in connection with an elaborate money laundering scheme involving Bitcoin. At the time, there was media speculation that the arrests were related to the JPMorgan hack, though there was no official confirmation.
Manhattan U.S. Attorney Preet Bharara called the attacks “hacking as a business model.”
“The alleged conduct also signals the next frontier in securities fraud—sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise,” Bharara said in a statement. “Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.