The hackers are most interested in information on product development, M&A strategies, legal issues, and the purchasing processes of the targeted companies.
This targeted attack also extends to the type of business, with more than two-thirds (68 percent) of victims operating in the healthcare and pharmaceutical sectors - something FireEye puts down to fluctuating stocks that can change ‘dramatically in response to news of clinical trial results, regulatory decisions or safety and legal issues.'
Interestingly, the San Francisco-based firm notes that – unlike most other threat actors which use complex and multi-layered Advanced Persistent Threat (APT) attacks – FIN4 relies primarily solely on sophisticated social engineering campaigns to compromise victims and capture email usernames and passwords.
FireEye says that phishing messages ‘appear to be written by native English speakers' who are also ‘familiar with investment terminology and the inner workings of public companies'. A typical phishing email voices normal investor and shareholder concerns, which is enough to convince the victim to open a ‘weaponised' document and enter their credentials.
FireEye says that the threat actor has largely managed to evade the traditional detection, such as by using Tor for communications and also by deleting victim emails with the words 'hacked', 'phish' or 'malware'.
On the origin of the hackers, security researchers believe that Fin4 is based either in the US or Western Europe, given their strong command of the language, regulator and compliance requirements and industry knowledge.
“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence, FireEye. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”
The firm adds that it's difficult to tell how the group has profited at this stage although it does add in the report: “One fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”
Andrew Rose, CISO and head of cyber-security in the transport sector, told SCMagazineUK.com that financial deals have always been targeted by criminals, and weaponised documents are a common hacker tactic, but said he was surprised by the lack of two-factor authentication.
“I think two-factor authentication is important. Some level of additional authentication – be it fingerprint on an iPad - is needed so you can be certain [the email] is from that person. That's definitely a requirement but we have to work on that and make it usable.”
Rose continued that spear phishing will often work in a legal sector where deal changes are often tweaked and re-sent via email, and where ‘trust' is essential in brokering a deal. But he warned that people – more generally – are unaware of the dangers after getting hacked.
“A lot of people don't understand the consequences when hacked,” he said, adding examples like a banks issuing a new credit card when breached, and a company fixing a laptop when hit by a virus. “No-one is incentivised to take it seriously.”
As far as the attack vector is concern, he said that email sandboxing solutions would be a useful way to contain any weaponised documents.
Meanwhile, Neira Jones, independent advisor and former board of advisor member for PCI SSC, said in an email to SC that risk management is essential for any business with sensitive materials.
"My advice to organisations remains to manage their risk in a manner that is commensurate to the threats they potentially could face, to remember that security is not just about technology, but also about people and processes, and to have an effective incident response plan that is tested regularly," she said in an email to SC.