Anti-Money Laundering (AML) , Compliance , Fraud

Feds Charge 9 with $30M Insider Trading, Hacking Scheme

Hackers Allegedly Stole Press Releases from Major Newswires
Feds Charge 9 with $30M Insider Trading, Hacking Scheme

The U.S. Department of Justice on Aug. 11 announced that charges have been filed against nine people who are suspected of running an international insider-trading and hacking scheme. The U.S. Securities and Exchange Commission, meanwhile, also unsealed a civil complaint charging the nine indicted defendants - and several other individuals and organizations - with related crimes.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

Authorities have accused the suspects of stealing 150,000 confidential press releases before they were to be published, and then using the information contained in about 800 of those releases for insider trading purposes, earning themselves $30 million "in illicit trading profits."

"The defendants were a well-organized group that allegedly robbed the newswire companies and their clients and cheated the securities markets and the investing public by engaging in an unprecedented hacking and trading scheme," says U.S. Attorney Paul J. Fishman. "The defendants launched a series of sophisticated and relentless cyber attacks against three major newswire companies, stole highly confidential information and used to enrich themselves at the expense of public companies and their shareholders."

Tom Kellermann, chief cybersecurity officer of threat-intelligence firm Trend Micro, says that while it's not likely the true masterminds behind this hacking and trading scheme will ever be brought to justice, it is refreshing to see law enforcement indict people who are believed to be conducting attacks that compromise market trading.

"These attacks are not new. This is a crew that's likely been targeting this kind of information for some time," Kellermann says. "The financial recession gave the cyber-underground clues into how they could make real money. It's all based on timely market-based information. You can make billions with access to this kind of information, versus the millions they've made in the wire fraud and account takeover incidents we saw in the past."

In fact, Kellermann says hackers, especially in sophisticated Russian-speaking forums, have been targeting market and securities information for quite some time.

"Sophisticated hacker forums are trying to facilitate true market manipulations, either by shorting stocks or breaching organizations they know will have to report the breach so that their stock prices are hurt," he says.

In this most recent case federal law enforcement is pursuing, insider trading was the focus, and hackers are increasingly waging attacks against law firms and public relations firms to get at this kind of information before it is made public, Kellermann adds.

"This story is about PR firms receiving corporate information under embargo, and that means that more than just one organization's strategic moves in market were compromised," he says. "The lesson here is that if you're a major corporation, you have to look at your information supply chain - your PR firm and your general counsel - and evaluate the security those entities have in place to defend against this type of attack."

Compromising Embargoed Trading Details

The attack campaign began in February 2010 and ran until August 2015, authorities say. The information stolen by the attacker allegedly related to numerous publicly traded companies, including Allstate Corp., Bank of America Corp., Delta Airlines, Domino's Pizza, Inc., Dreamworks Animation, Ford Motor Co., Hewlett Packard, Home Depot, Northrop Grumman, and Verisign, amongst many others.

A 23-count indictment unsealed August 11 in Newark federal court charges five defendants - Ivan Turchynov, 27, Oleksandr Ieremenko, 24, and Pavel Dubovoy, 32 - all of Ukraine; and Arkadiy Dubovoy, 51, and Igor Dubovoy, 28, of Alpharetta, Ga. - with wire fraud, securities fraud, and conspiracy to commit money laundering, amongst other charges. Turchynov and Ieremenko were also charged with computer fraud, conspiracy to commit computer fraud, and aggravated identity theft.

A separate indictment, unsealed the same day in Brooklyn federal court, charges four defendants - Vitaly Korchevsky, 50, of Glen Mills, Penn.; Vladislav Khalupsky, 45, of Brooklyn, New York and Odessa, Ukraine; Leonid Momotok, 47, of Suwanee, Ga; and Alexander Garkusha, 47, of Cummings and Alpharetta, Ga. - with wire fraud, securities fraud and conspiracy to commit money laundering, amongst other charges.

The Georgia-based defendants were all arrested at their respective homes on Aug. 11, and were scheduled to appear in Atlanta federal court the same day. Korchevsky, meanwhile, was arrested at his home in Pennsylvania, and due to appear in federal court in Philadelphia the same day. Turchynov, Ieremenko, Khalupsky and Pavel Dubovoy remain in Ukraine, although international arrest warrants were issued Aug. 11 for their arrests (see FBI Hacker Hunt Goes 'Wild West').

The attackers, according to court documents, hacked into three newswire and press-release services: Business Wire, based in San Francisco; Marketwired L.P. in Toronto; and PR Newswire Association LLC, a.k.a. "PRN," in New York. "The press releases typically contained material nonpublic information concerning, among other things, the issuers' financial performance, quarterly earnings, year-end earnings, and potential mergers or acquisitions involving the issuers," the Newark indictment reads. "As a result, maintaining the confidentiality of this information prior to its public release was critical to the operations of the victim newswires and to the issuers."

Information Security Media Group asked all three businesses if they had discovered related intrusions themselves, and what steps they have taken since to bolster their information-security defenses. "We found and fixed the issue at the heart of this matter and we are confident that Marketwired is protected by world-class security, monitoring and prevention practices," a Marketwired spokesman tells Information Security Media Group.

Both Business Wire and PRN, however, declined to comment on ISMG's questions, saying instead - as did Marketwired - that they had cooperated with the government's investigation. "Security is our number one concern at Business Wire," Cathy Baron Tamraz, the CEO of Business Wire, says in a statement released via her service. "We devote substantial resources annually to security, including multiple security audits by leading industry consultants."

"As cybersecurity threats continue to evolve, so will our information security practices," says Robert Gray, CEO of PRN.

Attack Techniques

According to court documents, the attackers employed the following attack techniques to hack into the press-release services:

  • PRN: Hacked into PRN's computer servers on multiple occasions - at least one time, using malware - in an apparent cat-and-mouse game with the company's IT staff, who appeared to have detected each fresh wave of attacks and moved to block them, but not before the attackers had successfully stolen press releases.
  • Business Wire: Hacked into Business Wire's network, placed malware on the network, stole more than 200 employees' usernames and hashed passwords, as well as brute-force-guessed access credentials for about 15 employees.
  • Marketwired: The attackers gained access to Marketwired's networks by using SQL injection attacks and then establishing remote access to the network.

The alleged attack campaign is notable in part because it profited from Wall Street, without having to hack directly into heavily secured trading networks. Unlike many attacks today, furthermore, the alleged attacks did not rely on stealing large amounts of personally identifiable information that might be used to commit fraud or identity theft.

"When we think of hackers who try to profit from their crimes, we usually think about people who steal bank account information or sell sensitive personally identifying information," Matthew L. Schwartz, a lawyer at Boies, Schiller & Flexner - and a former digital crimes prosecutor in Manhattan - tells The New York Times. "The reality, as exemplified by today's charges, is that hackers can obtain access to all sorts of valuable information and can and will profit off of it in every way imaginable."

Authorities say that as part of the investigation, they have seized 17 bank and brokerage accounts containing more than $6.5 million in alleged criminal proceeds, and that they believe that the defendants may have used stolen profits to purchase at least 12 properties, including Pennsylvania shopping center, a Georgia apartment building, as well as a houseboat, collectively worth more than $5.5 million.

Executive Editor Tracy Kitten contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network