The late August news of a data breach at JPMorgan Chase rocked the world of fintech infosecurity: The huge money center bank was apparently hit by hackerssaid to be affiliated with a nation state.

Details remain scarce, but that does not matter to creditunions. What matters the question of whether credit unions couldwithstand a nation state level advanced persistent threatattack. Further, do credit unions really know if they havebeen penetrated already?

Fintech experts are abuzz with those questions.

Tighten your seatbelts because the ride gets bumpilypessimistic.

Advanced persistent threats, like those that hit JPMorgan Chase,differ from run of the mill hacks in a fundamental way.

Most hackers are opportunistic, not much different from asmash-and-grab crook who shatters a car window to scoop up an iPadleft on a seat.

APT starts with a target. The hackers stick with the targetuntil they penetrate it or are called off by their masters.

And they keep on coming.

Experts have described APT assaults that went on for many monthsbefore, suddenly, the attackers got in.

APTs use all manner of attack tactics, including phishing,social engineering, automated probing, zero day vulnerabilities andmore.

“The attack sophistication has gone off the charts,” said GeneFredriksen, global information security officer at St. Petersburg,Fla.-based CUSO PSCU. “Everybody now is seeing this kind ofattack.”

The vast majority of credit unions, experts said, rely on acombination of a firewall and anti-virus tools for defense againsthackers.

Believing they are too small to be on the radar is anotherdefense.

But that just is not so, Kirk Drake, CEO of Hagerstown, Md.-based technology CUSOOngoing Operations said.

“My general feeling is that credit unions greatly underestimatethe potential for them to get caught up in a geo-political issue,and do not have any of the tools in place to detect or deal withsomething of this nature,” he said.

Just why might a nation state want access to the financialrecords of credit union members?

Keep in mind that in many cases, APT is not aimed at theft ofmoney. It more typically focuses on theft of intellectual propertyand espionage.

Think about a credit union with a field of membership that worksinside Washington's Beltway. Perhaps members who work at largetechnology companies could become a target. Or, maybe members at acompany negotiating a contract with a nation suspected ofsponsoring APT attacks, such as Russia or China.

In days of yore, nation states devoted human resources – spies –to gather insights into the spending practices and bad habits ofpotential information sources. Who is cheating on his/her spouse?Who overspends? Who is facing imminent default on big bills? Whohas substance abuse issues?

Much of that information can now be gleaned by using dataanalytics to sort through account activity.

Read more: Have foreign spies already hacked yourmember data?

Nobody is prepared to assert that thereare known cases of APT at credit unions. But, insisted one verywell-placed information security expert, “It is very possible thatthis has already happened at credit unions. Most would not know ifit had.”

He requested anonymity because of the sensitivity of hisposition in the industry.

As far as the technical defenses credit unions have in place,experts quickly dismissed their value where APT is concerned:

“Credit unions are over relying on perimeter defenses. They arewide open to APT attacks,” said Tom Kellermann, a vice president atsecurity company Trend Micro, with headquarters in Japan.

APT professionals have shown they can breach perimeterdefenses. Therefore, tools are needed that monitor activity insidethe firewall.

Few credit unions have such defenses in place, experts said.

These tools hunt for anomalies; specifically, behavior that doesnot fit the norm of user behavior. An anomaly is not proof of anattach, but it is cause for inquiry, experts said.

Chris Morales, an analyst with Austin, Texas-based informationsecurity company NSS Labs, offered an example of what else isneeded to protect against APT.

“You need to start paying more attention to what's leaving thenetwork than on protecting the perimeter,” he said.

APT hackers, to gain their goals, have to export the informationthey have harvested. Therefore, he said, continuous monitoring ofoutbound traffic is needed.

“Credit unions are an easy target because they are cheap.They are known as an easy target,” he said.

Dana Wolf, an executive with OpenDNS in San Francisco, saidwhile institutions can stop data from being siphoned out, theycan't defend the perimeter anymore.

“It would be foolish for credit unions to think they have notbeen penetrated,” she said.

Carl Herberger, a vice president with Israel-based securitycompany Radware, insisted the fight against APT is a dynamicstruggle and the enemy is continuously honing its skills.

For example, Herberger said, while much APT defense of a fewyears ago revolved around tracking particular IP addresses, thatstrategy no longer works.

Why not?

Hackers realized they were being hunted on the basis of theirIPs, so many now continuously change them, Herbergersaid.

As a result, credit unions need to invest in continuous securityupgrades to ward off APT because attackers are always sharpeningtheir attacks.

Another step in fighting back is to enlist employees' help, saidRoel Schouwenberg, principal security researcher at Kaspersky Lab.Significant APT strategy involves phishing employees and trickingthem into giving up login credentials.

“It is extremely important to educate employees and getthem to be vigilant,” he said. “Encourage employees to reach out tosecurity.”

Employees should be trained to tell IT right away if they havebeen tricked by a phish, he added. That quick warning could help acredit union short circuit an APT before it does a lot of harm.

By following advice from experts, can credit unions win the APTbattle?

Experts who spoke with CUTimes said that's notimpossible. However, none said they believed more than a handful ofcredit unions had actively engaged in fighting against nation statelevel APT.

“I can't believe there hasn't been APT in credit unionsalready,” said a well-placed source. “Most operate in ostrich modeand that is no defense against APT.”