"The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation state capabilities," Lieberman said.

He added, "JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield (them) from nation state's ability to access their systems at will."

Lieberman said the lesson to be learned is that the financial services sector needs to up its cybersecurity game to move up from commercial security to military level security.

"Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside," he explained.

Advanced persistent threat differs from run of the mill hacks in that most hackers are opportunistic – not much different from the smash and grab crooks who shatter a car window to scoop up an iPad left on a seat.

An APT attack starts with a target and the hackers stick with it until they penetrate it or are called off by their masters. They keep on coming be it through phishing, social engineering, automated probing or zero day vulnerabilities. Experts talk about APT assaults that went on for many months before, suddenly, the attackers got in.

"The attack sophistication has gone off the charts," said Gene Fredriksen, global information security officer at PSCU, the St. Petersburg, Fla.-based payment services CUSO. "Everybody, now, is seeing this kind of attack."

The vast majority of credit unions rely on a combination of a firewall and anti-virus tools for defense against hackers, according to some experts. Their other defense is believing they are too small to be on the radar of top level hackers.

But that just is not so, said Kirk Drake, founder and CEO of Ongoing Operations, a disaster recovery services CUSO in Hagerstown, Md.

"My general feeling is that credit unions greatly underestimate the potential for them to get caught up in a geo-political issue and do not have any of the tools in place to detect or deal with something of this nature," Drake said.

Just why might a nation state want access to financial records of members? And keep in mind that in many cases, APT is not aimed at theft of money but typically focuses on theft of intellectual property and espionage.

Think about a credit union with a field of membership inside the beltway or perhaps, members who work at large technology companies or maybe at a company negotiating a contract with a nation suspected of sponsoring APT attacks such as in Russia, China and others.

Years ago, nation states devoted human resources such as spies to gather insights into the spending practices and bad habits of potential information sources: Who is cheating on his or her spouse, who overspends, who is facing imminent default on big bills or who has substance abuse issues? Much of that information can be gleaned by using data analytics to sort through account activity.

Then what? It's hard to say because no one is prepared to assert that there are known cases of APT at credit unions. But, insisted one info security expert who requested anonymity because of the sensitivity of his position in the industry, "it is very possible that this has already happened at credit unions. Most would not know if it had."

As far as the technical defenses credit unions have in place, some experts have quickly dismissed their value where APT is concerned.

"Credit unions are over-relying on perimeter defenses. They are wide open to APT attacks," said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc., a Chinese security software security company based in Tokyo, Japan.

APT professionals have shown they can breach perimeter defenses and, therefore, tools are needed that monitor activity inside the firewall. Few credit unions have such defenses in place, according to some experts. These tools often hunt for what's called anomalies or behaviors that do not fit the norm of a user's behaviors. An anomaly is not proof of guilt, but it is cause for inquiry, some experts believe.

Chris Morales, practice manager, architecture and infrastructure with NSS Labs Inc., a information security research and advisory company in Austin, Texas, offered a suggestion on what else is needed to protect against APT.

"You need to start paying more attention to what's leaving the network than on protecting the perimeter," he explained.

The reason is to gain their goals, APT hackers have to export the information they have harvested.

"You need continuous monitoring of outbound traffic," Morales advised. "Credit unions are an easy target because they are cheap. They are known as an easy target."

Dana Wolf, senior director for products with OpenDNS, an Internet security network firm in San Francisco, agreed.

"You can stop data from being siphoned out. But you cannot defend the perimeter any more. It would be foolish for credit unions to think they have not been penetrated."

Carl Herberger, vice president of security solutions with Radware, an integrated application delivery and network security company based in Tel Aviv, Israel, insisted that the fight against APT is a dynamic struggle and that the enemy is continuously honing its skills.

"APT techniques are discarded like last year's car models," he said. "There is continuing improvement."

For instance, a few years ago, while much of APT's defense revolved around tracking particular Internet protocol addresses, which are often considered to be digital fingerprints, that protection no longer works, he added.

Why? Hackers recognized they were hunted on the basis of their IPs so many now randomize the addresses, said Herberger, meaning that they are constantly changing.

Historically, log file reviews were a cornerstone of good APT defenses. Nobody is suggesting that institutions stop reading traffic logs, but these days, frontline APT defense leaders say that tactic will no longer uncover the best-of-breed APT hackers precisely because of their dynamic use of IP.

For credit unions that want to ward off APT, they need to invest in continuous security upgrades because the attackers continue to sharpen their attacks.

"The perpetrators believe you will follow standard practices; they anticipate that," Herberger said. "You have to mix it up in your defense."

State sponsored attackers know the chapter and verse of mandatory compliance defenses. They are seeking to get in through uncharted vulnerabilities and they are paid to find them.

Hackers also are continually looking for an edge, Wolf said, adding that many phishing emails are sent to executives after work hours. Why then? Because after hours, she said, executives are more likely to use a machine that is off the network. On the network there may be enough built-in intelligence to ward off an attack, but after hours it's up to the executive.

Another step in fighting back includes enlisting employees' help, said Roel Schouwenberg, principal security researcher at Kaspersky Lab, an IT security company in Moscow, Russia. Much of APT involves phishing of employees by tricking them into giving up their login credentials.

Therefore, advised Schouwenberg, "It is extremely important to educate employees, and get them to be vigilant. Encourage employees to reach out to security."

An early warning sign may help a credit union short circuit an APT before it does a lot of harm.

Add it up and can credit unions win the APT battle? The experts contacted by CU Times didn't believe it was impossible but none believed that more than a handful of credit unions have actively engaged in fighting against what may be emerging as a primary attack vector – the nation state level APT.

"Credit unions are an easy target because they are cheap," Morales added. "They are known as an easy target. They lack the skill sets and the big budgets of larger financial institutions."

That's why OGO's Drake predicted there may be a regulatory requirement that credit unions install APT defense.

"I can't believe there hasn't been APT in credit unions already," said one source. "Most operate in ostrich mode and that is no defense against APT."