Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase

It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught.

But last summer’s attack on JPMorgan Chase — which resulted in hackers gaining access to email addresses and phone numbers for 83 million households and small businesses — may break that pattern of investigative dead ends in large corporate breaches.

Federal authorities investigating the attack at JPMorgan are increasingly confident that a criminal case will be filed against the hackers in the coming months, said people briefed on the investigation. Law enforcement officials believe that several of the suspects are “gettable,” meaning that they live in a country with which the United States has an extradition treaty. That would not include countries like Russia.

Indictments and arrests would be a notable victory for the Federal Bureau of Investigation and Preet Bharara, the United States attorney in Manhattan. In contrast, there have been no criminal charges in a December 2013 breach at Target, where payment card data for 40 million customers was stolen, along with the personal information of 70 million customers, or in the major attacks against eBay and Home Depot involving hundreds of millions more customers last year.

Although the breach at JPMorgan did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank and a warning sign that the American financial system was vulnerable.

Officials with the F.B.I. and Mr. Bharara’s office declined to comment on the investigation.

The JPMorgan case is advancing quickly partly because the attack was not nearly as sophisticated as initially believed, and law enforcement authorities were able to identify at least some suspects early on, said the people briefed on the matter, who spoke on the condition they not be named because they were not authorized to discuss the case. Law enforcement officials also made the investigation a top priority given that the Department of Homeland Security has declared the banking system critical infrastructure, requiring additional protection from digital attacks.

The JPMorgan investigation is being handled at the highest levels of law enforcement, with the F.B.I. in New York assigning several senior agents to the matter along with a top prosecutor with the computer crimes division of Mr. Bharara’s office, the people briefed on the matter said.

Thomas Brown, a senior managing director with FTI Consulting and a former chief of the computer and intellectual property crime unit for Mr. Bharara, said law enforcement tends to aggressively pursue cases where it has a better chance of sending a message of deterrence.

“The government has finite resources to deal with cybercrime and as a result tends to look for cases which can create maximum impact,” Mr. Brown said.

The intensifying hunt for the JPMorgan hackers comes as the bank, which has said it spends about $250 million a year on digital security and plans on doubling that in the future, wrestles every day with securing its vast global network.

An internal assessment of the bank’s security found that by the end of 2014 the bank had made “significant progress” in reducing “severe patch issues” in its digital network, but still had critical issues to address. The January report to the bank’s cybersecurity business control committee — a copy of which was reviewed by The New York Times — also noted that one server did not have the latest antivirus protection, but that it was being upgraded.

Patching holes in the bank’s network is critical because hackers exploited such vulnerabilities to gain access to JPMorgan in the first place. Attackers breached a server that had not been upgraded with so-called two-factor authentication, The Times previously reported. Double authentication schemes, which are now considered industry standard, require a second, one-time password for employees to gain access to a secure system. Without that second password requirement, hackers were able to breach a server using the stolen login credentials for a bank employee.

Once inside, hackers gained high-level access to more than 90 servers, but they were stopped before they could move customers’ financial information to their servers abroad.

The internal review also noted that JPMorgan recently increased its requirements for giving people the highest level of access to the bank’s network. It did so, according to the review, to minimize the risk of “catastrophic technical or reputational damage to the firm.” JPMorgan now limits so-called “high security access” to bank employees who must submit to annual credit screenings and criminal background checks. The bank now also conducts a “routine review” to make sure that high security access is justified for a particular person.

A JPMorgan spokeswoman declined to comment for this article.

Federal authorities said the lack of prosecutions in big breach cases is often a reflection of the fact that the attackers are cloistered away in countries where the ability to make arrests is limited.

In May, the Justice Department indicted five members of China’s People’s Liberation Army in connection with hacking attacks. None have been apprehended. And in December, the White House took the unusual step of identifying, and pledging retaliation against, North Korea for a destructive attack at Sony Pictures, without filing a criminal case.

“The bad news is that many of these folks are located overseas, and they are using encryption and servers all over the world,” said Leslie R. Caldwell, the assistant attorney general for the criminal division at the Justice Department. “But the good news is if we are able to jump on the breach early enough, we have an electronic trail and can get that evidence.”

In many cases, hackers also wait before they use the data they steal to evade detection.

“We’ve seen them steal and then store or secrete the data for long periods of time,” said Joseph M. Demarest, the assistant director of the F.B.I.’s cyber division. “We see them evolve their skills and trade craft and monetizing.”

Federal authorities have had some successes. One of the more notable was the successful prosecution of Albert Gonzalez for a string of hackings that netted more than 90 million credit and debit card numbers from TJ Maxx, Heartland Payment Systems and other companies between 2005 and 2008. Mr. Gonzalez was convicted and sentenced to more than 20 years in prison.

Still, Mr. Gonzalez was living in the United States, while many digital crimes are orchestrated by criminals abroad.

The authorities are sometimes forced to wait until suspects travel to places where an arrest can be made more easily. It took federal prosecutors five years to extradite Vladimir Drinkman, a Russian national who was charged with working with Mr. Gonzalez.

Mr. Drinkman was arrested in 2012 while on vacation in Amsterdam, but his extradition was delayed after the Russian government tried to intervene by filing its own extradition request with the Dutch courts. In February, Mr. Drinkman arrived in the United States to stand trial in federal court in Newark after a Dutch judge approved the United States government’s extradition request.

Other Russian nationals charged with hacking have avoided trial altogether. Aleksandr Kalinin, a Russian national indicted by federal prosecutors in New York in 2013 in an attack on the Nasdaq stock market and in other hackings, remains at large.

“Some of the data breaches may have fallen off the radar, but they aren’t off our radar,” Ms. Caldwell said. “We have a number of cases where we have indictments under seal.”

Edward W. Lowery, the head of the Secret Service’s criminal investigations unit, said international cooperation in hacking cases had increased in recent years, particularly in Western Europe.

But there are still blind spots, said Mr. Lowery, citing “Eastern European countries, where law enforcement looks the other way.”