Cyber Espionage Group Diddles US Financial Sector by Manipulating Stocks

MOSCOW, December 1 (Sputnik) — One of America’s leading cybersecurity enterprises, FireEye Inc. has published a report today detailing possible stock market manipulations by a group of hackers who recently obtained merger-and-acquisition (M&A) data on more than 80 companies.

 

FireEye has revealed that a hacker group called FIN4 gained access to confidential corporate data and communications, as well as other classified information, by misleading lawyers, business advisors and even executives, resulting in massive information leaks. According to a report, published Monday, this information is possibly being used for insider trading, in violation of market rules and financial regulations.

 

 

FIN4 started hacking corporate emails in mid-2013 and has accessed corporate email accounts in more than 100 enterprises ever since, the study revealed.  The majority of the firms who were attacked are in the fastest-growing area of global economy, namely, pharmaceutics and healthcare. However, other sectors are affected as the leaked information includes data on enterprises in investment banking, investor relations firms and legal consultancies.

“FIN4 knows their audience. Their spearphishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies,” the report says. “FIN4 also uses existing email threads in a victim’s inbox to spread their weaponized documents. We’ve seen the actors seamlessly inject themselves into email threads. FIN4’s emails would be incredibly difficult to distinguish from a legitimate email sent from a previously compromised victim’s email account.”

The hackers are most likely based in North America or Western Europe and their ultimate goal appears to be gaining competitive edge in the prosperous segments of the financial sector, where sensitive information like clinical tests, legal procedures and regulative decisions impact valuations of stocks if leaked for a broader public access. FIN4 is very well-connected in the Wall Street, the study says, as their phishing emails are directed personally to each victim, showing an extensive acquaintance with the victim’s background. In some cases, some previously stolen confidential info was used to win the victim’s trust. Sometimes phishing links were emailed from the previously cracked emails of long-time customers of the victim.

“We suspect they are Americans, given their Wall Street inside knowledge,” FireEye’s Manager of Threat Intelligence Jen Weedon said as quoted by Bloomberg. “They seem to have worked on Wall Street.”

In each case, the victim was redirected to a fake email login page, where the victim’s password was stolen in order to gain access to their email account and any confidential data they may contain, the study revealed.

As opposed to Russia- or China-based hacker groups, FIN4 acts a lot smarter by not using malware to infiltrate deeper in the victim’s networking infrastructure, making the attack harder to detect. They steal precisely the information they need, which means that many victims do not notice the tiny breach of their cybersecurity.

“FIN4 has been observed creating a rule in victims’ Microsoft Outlook accounts that automatically deletes any emails that contain words such as “hacked”, “phish”, “malware”, etc,” the study says. This “likely buys FIN4 extra time before victim organizations detect their activities,” FireEye concludes.

The report also said that FIN4 may be using or selling the information they obtain in order to benefit on the predicted or artificially created stock market fluctuations. FireEye did not reveal  the identities of the FIN4 members, having said they lack enough data to say for certain.

“We cannot say for certain what happens after they gain access to insider information. What we can say is that FIN4’s network activities must reap enough benefit to make these operations worth supporting for over a year—and in fact, FIN4 continues to compromise new victims as we finish this report,” FireEye concludes.

However, FIN4 tactics are simple, meaning that basic security efforts will render their espionage efforts fruitless. FireEye suggests “disabling VBA macros in Microsoft Office by default”, “enabling two-factor authentication for OWA and any other remote access mechanisms” and “check their network logs for OWA logins from known Tor exit nodes” as legit users do not usually use Tor when accessing their email.