Up to 32 stock traders and hackers are alleged to have infiltrated the computer servers of PRNewswire Association LLC, Marketwired and Business Wire, a unit of Warren Buffett's Berkshire Hathaway Inc, over a five-year period and used the early access to 150,000 news releases on mergers, acquisitions and financial results to trade prior to the information being made public.
Five traders involved have been arrested in morning raids in Georgia and Pennsylvania while four others indicted on hacking and securities fraud charges remain at large.
Prosecutors in Brooklyn and New Jersey accused the traders of accessing data processed by financial wires to buy and sell company shares in a scam that netted the nine men some US$ 30 million (£20 million). A wider lawsuit by the Securities and Exchange Commission listed more than two dozen individuals and companies as defendants in what was described as the largest fraud of its kind ever prosecuted which had earned US$100 million (£64 million) in illegal profits.
Among the defendants is US trader Vitaly Korchevsky from Philadelphia who previously ran a mutual fund and worked on Wall Street before starting his own hedge fund. Named in the 23-count New Jersey indictment are Ivan Turchynov, Oleksandr Ieremenko, Arkadiy Dubovoy, Igor Dubovoy and Pavel Dubovoy.
Bloomberg reports that the suspected hackers are thought to be in Ukraine, and says that the illegally obtained information was sent to associates in America and Ukraine to buy and sell shares in companies. It is not known if there is any connection with a similar operation by a sophisticated hacking group dubbed “FIN4” which FireEye reported had tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events since mid-2013.
More than 100 companies were targeted in the latest action, including Panera Bread Co, Boeing Co, Hewlett-Packard Co, Caterpillar Inc and Oracle Corp, with “approximately 1,000 inside the window trades through retail brokerage accounts.” Money was then shifted offshore through Estonian banks, according to one of two federal indictments unsealed Tuesday.
An example of their activity was making a $1m profit in early 2012 when Caterpillar submitted news of a 36 percent profit hike to PRNewswire . During the 24 hours that the information sat in the wire's server the hackers bought $8.3 million in Caterpillar stock and options which rose 2 percent from $109.05 to $111.31 that day.
Acting Brooklyn US Attorney Kelly Currie announced the charges at a press conference in Newark, New Jersey yesterday saying: “Today's international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved and the number of securities and the amount of illegal profit.”
In an email to SCMagazineUK.com Matt Middleton-Leal, regional director, UK & I at CyberArk added: “While details of these breaches are emerging, it seems that attackers were able to access and take full control of the press release services' websites via privileged or administrative accounts. It's often said you're only as secure as your weakest link, and this is yet another example of how third parties can be used by attackers to infiltrate a target organisation for financial gain.
“The fact is that the exploitation of privileged accounts has been found to be the primary attack vector in almost 100 percent of cyber-attacks and data breaches in recent years. These access points provide the most far reaching access to a corporate network and the most sensitive information held within, which, in the case of this latest attack, is highly sensitive financial information prior to public release.
“With high-profile corporate network takeovers becoming more commonplace, it's time for organisations to re-assess security programmes by adopting the mind-set that the attacker is already inside. Ensuring that the privileged access granted to staff and third party contractors is tightly managed and monitored in real-time, with the option to detect and immediately terminate a suspicious session is vital to containing risk and limiting damage.”
Other experts emailed SC to note how sophisticated phishing attacks with excellent use of English and knowledge of financial markets were used and considered what might be done to thwart these attacks. Wieland Alge, VM & GM EMEA at Barrcuda Networks, said: "In today's digital age, data breaches that result from targeted email phishing have become increasingly common and sophisticated. Typically these messages appear to come from a well-known, trustworthy web site so initially those that have been the target of an attack, don't even realise they've fallen victim. There is, however, an even easier channel to attack - HR departments. They are typically flooded by unsolicited applications containing all types of attachments and they are encouraged and even obliged to open them. It is a must for IT security to implement countermeasures against targeted attacks using that channel.
"Wire firms are obvious targets for cyber-criminals and the fact of the matter is that these companies store large amounts of sensitive – and valuable - data. However, at the end of the day all businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers' data. If they fail to do so they are rolling the dice when it comes to their reputation, share value and ultimately long-term survival."
Ryan Barrett, VP of security and privacy at Intermedia, responded in an email to SCMagazineUK.com noting how employee simulation exercises can help prevent staff falling victim. He told SC: “Phishing based cyber-attacks are frequently successful because they rely on human error; whether it's ignoring an alert to install the latest software update, or being careless when clicking on links. Having good online hygiene — as shown by Marketwired's employees successfully identifying the phishing attempt and preventing the intrusion — mitigates a company's threat surface area.
"Hackers are putting in the man-hours to make these attacks more successful; businesses need to be doing the same to strengthen their security.
- Staging simulated phishing attacks on your employees, before the attackers do, leads to well trained employees who are better equipped to spot phishing attacks and thwart them.
- Businesses should register as many domains as they reasonably can that contain permutations of their actual domain. This helps to thwart would be spear phishers, because you've removed one of their core tools. It's inexpensive and can be very effective.
- Additionally, these domains can be used to “phish” their own employees as an additional training method.
"An additional test is to leave non-company branded USB flash drives around the office and see who plugs them in to their laptops. Load the drive with a simple word document explaining how the device he or she just plugged into the laptop could have infected their machine (and likely the company's network). The goal isn't to chastise employees, but show them how quickly a simple misstep can quickly put them at risk. In fact, the ones who turn in the USB drive without plugging it in, should be rewarded."