After hacking their way into the networks of seven law firms and siphoning out data that was used in making US$4 million (£3.3 million) profit in trades, three Chinese men were hit with charges and one was arrested.
On Tuesday, Preet Bharara, the US Attorney for the Southern District of New York, and William F. Sweeney Jr., the assistant director-in-charge of the New York Field Office of the Federal Bureau of Investigation (FBI), announced the arrest of Iat Hong and the unsealing of a 13-count superseding indictment charging Hong, Bo Zheng and Chin Hung with "devising and carrying out a scheme to enrich themselves by obtaining and trading on material, nonpublic information (“Inside Information”), exfiltrated from the networks and servers of multiple prominent US-based international law firms with offices in New York."
The charges accuse the men of using "unlawfully obtained credentials" of law firm employees to hack into at least seven law firms engaged in a number of prominent merger and acquisition deals. Once they penetrated the firms' email systems, the men allegedly targeted accounts of leading partners at the law firms engaged in high-profile M&A transactions, such as deals involving the drug maker Intermune, Intel and business services company Pitney Bowes.
In one case outlined in the indictment, the men are said to have – over the course of at least eight days – purloined more than 40 gigabytes of confidential data from one of the victim firms.
Hong allegedly purchased 8,500 shares of Intermune on 13 August 2014 and an additional 9,500 shares a week later, once he had an inside track on an impending sale of the company, ultimately to Germany-based Roche AG. Intermune's stock price rose 40 percent in the sale.
In another of their schemes, the defendants are accused of purchasing more than 210,000 shares of Altera stock, once they gained insider information on its impending sale to Intel. Altera's stock price rose around 26 percent at the time of the merger, netting the defendants a profit of $1.4 million (£1.1 million).
The trio also allegedly earned $840,000 (£686,500) from stock sales after using stolen information to trade on shares of Borderfree, an online commerce site purchased by Pitney Bowes.
But their efforts were not confined to the seven law firms named in the indictment. Between March and September 2015, the men also are accused of attempting to hack into five other law firms using tactics similar to ones they used to successfully break into the seven victim law firms. They are said to have made more than 100,000 attempts to penetrate the networks and servers.
The indictment further stated that the men worked at a start-up robotics company founded by Zheng. The defendants are also accused of hacking into two competitor robotics firms and stealing " detailed and confidential proprietary design schematics" of consumer robotic products.
Hong, 26, and Hung, 50, are residents of Macau. Zheng, 30, is a resident of Changsha, China. Charges included in the 13-count indictment are: conspiracy to commit securities fraud: insider trading; conspiracy to commit wire fraud; computer intrusion – unlawful access; and computer intrusion – intentional damage. Hong, a Macau resident, was taken into custody on 25 December in Hong Kong and faces extradition.
"This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: You are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Bharara said in a statement.
Along with the criminal charges brought against the three men, in a parallel action, a complaint filed by the Securities and Exchange Commission (SEC) charges the three men with violating the anti-fraud provisions of the federal securities laws and related rules.
The SEC complaint charges the men with "installing malware on the law firms' networks, compromising accounts that enabled access to all email accounts at the firms, and copying and transmitting dozens of gigabytes of emails to remote internet locations."
In the complaint, the SEC seeks a final judgment ordering the trio "to pay penalties and disgorge ill-gotten gains plus interest and permanently enjoining them from violating the federal securities laws."
“As we allege, the defendants' ‘hacking to trade' scheme involved numerous levels of deception as they gained broad access to the nonpublic networks of two law firms, stole confidential information and then used it for substantial personal gain,” Antonia Chion, associate director of the SEC's Division of Enforcement, said in a statement. “This action marks the end of their alleged deception and serves as a stark reminder to companies and firms that your networks can be vulnerable targets.”
The SEC continues its investigation along with the US Attorney's Office for Southern District of New York, the FBI, Hong Kong Securities and Futures Commission, and Financial Industry Regulatory Authority.
“The news today that three Chinese nationals hacked M&A law firms and profited from stolen data is sounding very loud alarm bells," Greg Reber, CEO at AsTech Consulting, a San Francisco-based security consulting company, told SC Media on Wednesday.
Reber believes the law firms attacked included Weil, Gotshal & Manges and Cravath, Swaine & Moore, as these two firms represent Wall Street banks and Fortune 500 companies, including those involved in the accused's stock schemes.
"The bad news that should be shouted from every rooftop garden on top of buildings inhabited by expensive M&A law firms is this: This is not the first time these firms have been breached," Reber said. "Earlier this year, Cravath told the Wall Street Journal that an incident involved a 'limited breach' of its systems and that the firm was 'not aware that any of the information that may have been accessed has been used improperly.' They were wrong."
Law firms that believe they are protected by disclaimers at the bottom of emails should take note, he added. "Hackers simply don't care about contracts.”