'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers
Ummm to make money or destabilize our economy?
Makes one feel good that you are the head of the Intelligence Committee.
The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.
Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.
Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.
Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).
In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean they are involved.
Lastly, looking at the capabilities of the payload may give some insight into the objective - a malware kit with a keylogger and dial-out facility to a C&C server is generally not going to be paired with a logic bomb to fry the infected system. So a system with a keylogger will be used for industrial espionage, while a logic bomb is an offensive, destructive weapon. The NSA's original analysis of the malware apparently indicated all sorts of interesting/terrifying capabilities. Given their extreme interest in surveillance of computer systems, if they chose to deliberately scare-monger and make this breach out to be more serious than it may otherwise have seemed, they could use that as leverage to expand their intelligence remit to be the gatekeepers of data security and cyberwarfare within the US - expanded influence, and also a much more free hand to conduct their own domestic surveillance. Plus, it is definitely conceivable that they would already have laboratory copies of the FSB malware kit that they could use when hacking Nasdaq.
So, there you have 4 other possible actors and objectives:
Russia: Domestic economic control over large businesses to reinforce geopolitical strength, and industrial espionage.
China: Industrial espionage, or the future possibility of electronic sabotage.
Organised crime: Extortion or industrial espionage for financial gain.
This is not to suggest that any of those groups actually did do this, or that if they did that they did it for the reasons I have suggested. But it does indicate that there are a lot of possibilities out there, and Mike Rogers is a politician, so he is not going to start slinging mud at someone unless they give him a good quote as justification.