Experts: Stock-Trade Attacks WidespreadNew Report Raises Questions About Cyber-Espionage Schemes
A new report from security vendor FireEye about the emergence of cyber-attacks aimed at the accounts of high-level executives at publicly traded corporations for the purpose of "obtaining an edge" in stock trades has raised some questions among financial fraud experts.
Some security experts say that while these types of attacks, which revolve around spear-phishing campaigns whose ultimate purpose is to exfiltrate e-mail exchanges about confidential and anticipated market movements, are concerning, they are not new, and are much more widespread than FireEye's report suggests.
In its Nov. 30 report, FireEye identifies a group known as FIN4 that it says has been waging cyber-espionage attacks against more than 100 public companies and advisory firms since mid-2013.
But Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says the new research report is "not groundbreaking," noting that market manipulation by cyber-attacks began back in 2002 and exploded after 2005 - a point noted by The World Bank in its May 2005 Capital Markets and E-fraud paper.
Kellermann says it's not clear why FireEye's report calls out only one threat group, FIN4, when numerous groups have been waging these types of attacks since the dawn of the global financial crisis.
After the financial crisis of 2008 and 2009, a small percentage of the thousands of banking and financial professionals who were left jobless offered financial acumen and strategic knowledge to the underground economy, he says.
And Will Woodward, an analyst for the consultancy Aite, says it's unlikely that FireEye has uncovered the full extent of this type of cyber-espionage activity.
"FIN4 is most likely not the only cybercrime organization doing this," Woodward says. "This is not the first time an attack of this kind has occurred."
In a blog, FireEye says, "FIN4 appears to conduct intrusions that are focused on a single objective: obtaining access to insider information capable of making or breaking the stock prices of public companies. The group specifically targets the e-mails of C-level executives, legal counsel, regulatory, risk and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information."
More than 75 percent of the targeted organizations are healthcare and pharmaceutical companies, FireEye reports. Other targets include law firms, investment banking firms and investor relations firms, among others. FireEye says healthcare and pharmaceutical businesses are most often targeted because their stocks can be more fluid after news breaks about new clinical trials, regulatory decisions, or safety and legal issues.
What's more, FireEye reports that all of these stock-market-manipulation cyber-attacks appear to have been waged by native-English-speaking hackers who have in-depth knowledge about how stock information is exchanged.
FireEye did not reply to Information Security Media Group's request for comments beyond those in its blog.
Detecting fraudulent trading can be especially difficult with pharmaceutical stocks, Aite's Woodward says. Pharma stocks are notorious for insider manipulation, since many of these stocks are sold or managed through informal trading practices, he adds.
"Most major exchanges have the market surveillance capabilities to detect serious anomalous trading activity, such as stock run-ups, as it is a common type of insider trading before big announcements," Woodward explains. "The danger is when the shares are traded over-the-counter [through a dealer network rather than on a formal exchange such as the New York Stock Exchange], which many pharmaceutical stocks are, because then the detection mechanisms at the exchange level are not always sufficient."
But what's most concerning about the spear-phishing attacks noted in FireEye's report is that they are actually being waged against law firms that represent these publicly traded companies, Trend Micro's Kellermann says.
Once the hackers have e-mail credentials for leading executives at these law firms, they send communications, feigning to be from the attorneys themselves, about stock prices and trading to the companies they are targeting, he says.
Andrew Komarov, CEO of cyber-intelligence firm Intelcrawler, says the techniques used by the attackers are well known in the industry and should be relatively easy to defend against. But because most advisory firms, such as law offices, do not have the same layers of cybersecurity to protect and monitor e-mail and other Internet communications that publicly traded companies do, they are easy targets for hackers.
And Kellermann says organizations are often too trusting of correspondence appearing to come from their attorneys.
"There is implicit trust with the credentials of high-ranking attorneys," he says. "The information that law firms are sharing is very sensitive when it comes to these types of trades, yet these firms are still relying on 10-year-old technology, like encryption and firewalls, basic perimeter defenses. ... There has to be a higher standard of care when dealing with outside counsels - correspondence has to go far and beyond basic encryption."
Organizations should ensure the law firms and other advisory firms with which they work have an understanding of cybersecurity, Kellermann says. By investing in layers of security, that include advanced e-mail monitoring, these firms can greatly reduce their risks, Kellermann points out.