Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Hackers Steal Trading Algorithms
Attacks Aimed at Hedge Funds, Trading FirmsHackers have been stealing the secret algorithms and tactics used by hedge funds and high-frequency trading firms, according to two security companies.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
Such algorithms can be the lifeblood of a financial firm, and are designed to take advantage - often automatically - of infinitesimal price discrepancies in the stock market that may only last for milliseconds.
The security vendor Kroll reports that it has recently investigated three incidents involving hackers stealing such algorithms. "In two of the cases we were able to find the bad guy and stop him before he could share it on the Web," Ernest Hilbert, Kroll's head of cyber investigations for Europe, the Middle East and Africa, tells the Financial Times.
Greg Day, chief technology officer at information security firm FireEye, likewise describes another algorithm-targeting hack attack that his firm's digital forensics investigators recently found. "It was a very targeted attack looking at gaining access to automated trading models," he tells the Financial Times, noting that this is part of a pattern of hackers increasingly executing "targeted attacks going after a high-value return."
By stealing firms' secret algorithms, digital forensics experts say, attackers could attempt to extort the firms into buying them back again, or else risk news of the theft becoming public, which might cause customers to panic. Alternately, in a "hack for hire" situation, an unscrupulous rival might attempt to make use of its competitor's algorithms. "Data is a commodity to be bought, sold, stolen and traded. Financially motivated hackers are always looking to make money and build on the fortunes they have stolen," Hilbert tells Information Security Media Group. "Hacking-for-profit is organized and lucrative. It's not some kid in their mom's basement looking to 'card' something off Amazon. This is organized fraud and financial manipulation."
This isn't the first time that warnings have been sounded over the theft of funds' secret trading algorithms. On Feb. 24, Chinese national Kang Gao pleaded guilty to stealing documents from his former employer, the Manhattan-based international hedge fund firm Two Sigma. According to court documents, Gao's employment contract prohibited him from attempting to access the quantitative trading strategies, trading models and related scientific and marketing materials that he admitted e-mailing to himself. He's due to be sentenced in April.
"Computer source codes and proprietary trading methods are often the lifeblood of a company's business model, and stealing them is a crime," says Manhattan District Attorney Cyrus R. Vance, Jr. "Gao admitted to copying highly confidential material from his employer before heading to China to meet with investors in the company he hoped to launch." But Vance says Gao was stopped "before he was able to do any serious harm."
Targeted Algorithm Attacks: Increasing?
Despite the incidents cited by Kroll and FireEye, however, it's not clear if there's been a surge in algorithm-targeting hacks. "It would not be unrealistic to expect to see an uptick, as we are seeing more attacks focusing on bigger returns, rather than the en-masse crimes," FireEye's Day tells ISMG. But it's also unclear whether attacks have been launched by hackers that want to extort targeted firms, or whether these attacks have been commissioned by firms' rivals.
Either type of attack "is likely to be difficult and rare," John Miller, manager of cybercrime intelligence at threat-intelligence firm iSight Partners, tells ISMG. "The extortion scenario, though, is somewhat more plausible: extortion would probably be much easier than actually using the stolen data for trading."
If an unscrupulous competitor did fund such an attack, however, it would likely be a sophisticated operation, Miller says, and benefit from the hacked firm being unlikely to reveal the intrusion - if discovered - for fear of spooking investors. "That victim - even if it could identify the attack - may not want to reveal the incident externally, to protect the victim's reputation and credibility," he says.
But Day notes that intelligence services could also be behind such attacks. "I'm not aware of any specific examples of blackmail, so I would suggest this most commonly would be espionage-focused," albeit conducted for the purpose of eventual "financial gain," he says.
Better Defenses Needed
Kroll and FireEye declined to provide further information on clients whose algorithms were targeted, citing confidentiality agreements. But Hilbert notes that too many financial services firms still are a "target-rich environment" for hackers, owing to their failure to employ tools and tactics, such as advanced network segmentation or traffic monitoring, that could block attacks outright or detect them quickly.
As a result, attackers don't have to employ sophisticated attacks to breach many firms' networks. "The attack vector is often the easiest route, such as spear phishing with malware attachments," he says.
But he notes that there are some quick-hit, high-impact defenses that firms could quickly and easily put in place to make them a less-attractive hacking target. "Limiting access to IP [intellectual property], monitoring inbound and outbound traffic, regularly changing passwords or using two-factor authentication are all easy steps to increase IP protection," he says.
Hide the 'Secret Sauce'
Targeted algorithm attacks offer a reminder that attackers will target any intellectual property that they think they can sell.
"Not only are trading algorithms at risk, but other information, such as patent status, trade secret information, manufacturing processes and yields ... may not initially seem sensitive, but in the right hands can provide a trader or competitor [with] information that will give them an edge over other groups," says Ken Westin, a senior security analyst at software firm Tripwire. "If there is a buyer for this data, it has value and ... criminal hacker groups will target it."
The risk and challenge associated with "fencing" stolen intellectual property - in digital form - also continues to decrease, Westin says. "Underground markets and bitcoins are helping to establish marketplaces where white collar criminals and hackers can mingle and do business, something we have not seen before at this scale."
As a result, businesses need to get better at protecting their intellectual property. "Everyone has private data they hide away and don't share," Kroll's Hilbert says. "Not everyone needs access to the secret sauce."