A cyber-security solutions vendor, FireEye, posted on its company blog yesterday that a cyber-threat group, dubbed FIN4, is trying to hack its way to insider-trading information. It’s targeting the confidential communications of many companies, including financial advisors. The hackers, who appear to be Wall Street-savvy, want to steal market-impact information about pharmaceutical and healthcare companies.
“At FireEye, we investigate cyber-threat activity that typically aligns with one of two goals: the pursuit of sensitive information to fulfill a government’s goals, or the theft of data for financial gain,” according to the authors of the blog posting. “A reader skimming the headline, ‘Hackers Steal Data from Pharmaceutical Firms’ could be forgiven for assuming that the article tells the story of a government-backed group in pursuit of new drug innovations. However, in a campaign FireEye is uncovering today, this headline tells another story.”
The other story is that FIN4 is targeting “the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information,” FireEye reports. “FIN4 has targeted over 100 companies since at least mid-2013. All of the targeted organizations are either public companies or advisory firms that provide services to public companies (such as investor relations, legal, and investment banking firms).”
More than two-thirds of the targeted organizations are healthcare and pharmaceutical companies, FireEye officials say. “FIN4 probably focuses on these types of organizations because their stocks can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues.”
FireEye declines to explain how it has gathered information about FIN4, citing confidentiality. “We’ve been able to characterize FIN4’s activity via our incident response engagements, FIN4’s attempts to compromise our managed service clients, our product detection data, and further independent research,” FireEye officials say.
“Our visibility into FIN4’s activities is limited to its network operations,” FireEye adds. “We can only surmise how they may be using and potentially benefitting from the valuable information they are able to obtain. However, one fact remains clear: access to insider information that could significantly impact stock prices for dozens of publicly traded companies surely puts FIN4 at a considerable trading advantage.”
FireEye does have a sense for how FIN4 works by targeting multiple parties involved in a business deal, including law firms, consultants, and public companies. “In one instance, FIN4 appeared to leverage its previously-acquired access to email accounts at an advisory firm (‘Advisory Firm A’) to collect data during a potential acquisition of one of Advisory Firm A’s clients (‘Public Company A’),” according to FireEye’s report “Hacking the Street? FIN4 Likely Playing the Market.”
“FIN4 proceeded to send a spearphishing email from a compromised account at Advisory Firm A to another advisory firm (‘Advisory Firm B’), who was also representing Public Company A,” FireEye officials say. “FIN4 used a SEC filing document as a lure. After news of the possible acquisition was made public, Public Company A’s stock price varied significantly. It is likely that FIN4 used the inside information they had to capitalize on these stock fluctuations.”
The FireEye report concludes that while FIN4’s approach is not new, “the scale of FIN4’s operations, with targets at more than 100 public companies, coupled with their tactic of going after key individuals’ emails, sets this group apart.” FireEye acknowledges that it does not know for certain what happens after FIN4 accesses insider information. “What we can say is that FIN4’s network activities must reap enough benefit to make these operations worth supporting for over a year — and in fact, FIN4 continues to compromise new victims as we finish this report.”
The full report can be accessed via this shortened link: http://bit.ly/1v5IRkk
Need a Reprint?
Leave a Reply