FBI on watch as hackers’ victims weigh illegal retaliation

At a 2013 meeting, JPMorgan Chase & Co. advocated that banks strike back against hackers from offshore locations, according to a person familiar with the conversation.
(Stan Honda / AFPGetty Images)

The hacked are itching to hack back.

So say a dozen security specialists and former law enforcement officials who described an intensifying sense of unease inside many companies after the recent breach of Sony Corp.'s networks.

U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the U.S. have few clear options for striking back on their own.

That has led a growing number of companies to push the limits of existing laws to consider ways to break into hackers’ networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurit professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property the hackers may have stolen.


In one case, the FBI is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, according to two people familiar with the investigation. JPMorgan Chase & Co. advocated such a move in a closed meeting in February 2013, these people said. A bank spokeswoman said no action was ever taken. Federal investigators are still trying to determine who was responsible, the people said.

“It’s kind of a Wild West right now,” said Rep Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. Some victim companies may be conducting offensive operations “without getting permission” from the federal government, he said.

“They’re very frustrated,” McCaul said of these firms.

Although many companies discuss hacking in retaliation in the immediate aftermath of a breach, almost none follows through, said Kevin Mandia, founder of Mandiant, the FireEye Inc. division responsible for investigating the Sony breach and other high-profile hacking cases. Efforts to retaliate can make things worse, he said, because attackers who aren’t purged from the network could escalate the assault or increase attacks on other companies targeted by the same group.

“When data leaks out, it’s like a supernova exploding — you can’t put a lid on it unless you’re like two seconds behind it, and even then I don’t think you can,” Mandia said.

After the Sony attacks, someone appears to have struck back. Fake copies of “Fury,” “Annie” and other leaked films began appearing this month on file-sharing sites, slowing the computers of people trying to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, Calif., security company. The fake files have now largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said.

Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach.

In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.


The act exempts intelligence and law enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.

U.S. law enforcement agencies appear to give security companies more leeway when it comes to breaching computers to gather intelligence on the hackers or discover what data they took, according to a former law enforcement official. Such work is “widely done” by security firms, said Tom Kellermann of Trend Micro Inc.

Last year’s discussion among banks about retaliatory strikes came after a wave of so-called denial of service attacks starting in 2012 that temporarily disabled several of their websites. The U.S. attributed the attack to Iran’s Quds Force, McCaul said. Iran denied being behind the strikes.

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.


Within JPMorgan, the idea had been vetted, according to a second person familiar with the incident. Some of the people at the New York meeting — which included FBI and Treasury Department officials, as well as representatives of Citigroup Inc., Goldman Sachs Group Inc. and the New York Stock Exchange — dismissed the idea on legal grounds, the two people said.

Federal investigators later discovered that a third party had taken some of the servers involved in the attack offline, according to the people familiar with the situation.

Based on that finding, the FBI began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers, according to people familiar with the probe.

JPMorgan spokeswoman Trish Wexler said the JPMorgan employee didn’t put forth a formal plan at the meeting and that the bank wanted the government to do more to stop the attacks. The FBI questioned JPMorgan representatives about the incident and appeared to be satisfied that the bank wasn’t involved in hacking, Wexler said.


Representatives of other attendees, including the New York Stock Exchange, Citigroup and Goldman Sachs, declined to comment when asked this month about the meeting.