Fraud Management & Cybercrime

Insider Trading Hack: 5 Takeaways

Stealing Insider Information Is Easier Than Hacking
Insider Trading Hack: 5 Takeaways

When it comes to "hacking" the stock market, attackers' exploit of choice may not be to attack stock-exchanges' trading systems directly, but rather to steal information and use it for insider-trading purposes.

See Also: Insider Insights for the PCI DSS 4.0 Transition

That is one of the top takeaways from the Aug. 11 announcement that the U.S. Department of Justice has charged nine men with stealing confidential press releases - before they were due to be publicly released - from three wire services, and using the information contained therein to make stock market bets that led to at least $30 million in illicit profits (see Feds Charge Nine with $30M Insider Trading, Hacking Scheme). The alleged scheme ran from around February 2010 until earlier this month.

The U.S. Securities and Exchange Commission, which calculates the related damages differently, says the scheme resulted in more than $100 million in illegal profit over a five-year period. In a related lawsuit that seeks civil penalties, the SEC has charged 17 people located in the United States as well as Ukraine and Russia, as well as 15 corporate entities. The SEC says it is seeking civil penalties against traders in Cyprus, France, Malta and Russia, and that it has already obtained related, court-ordered asset freezes.

Here are five takeaways from the case for any organization that stores confidential or sensitive information:

1. Criminals Can Play The Long Game

Prosecutors say that the insider-trading ring involved four computer hackers who were mostly based in Ukraine - international warrants have now been issued for their arrest - as well as five traders based in Georgia, New York and Pennsylvania, who were arrested on Aug. 11.

"This case illustrates how cyber criminals and those who commit securities fraud are evolving and becoming more sophisticated," New Jersey U.S. Attorney Paul Fishman said at an Aug. 11 news conference, Reuters reports. "The hackers were relentless and they were patient."

Prosecutors say the Ukraine-based hackers would receive "shopping lists" of press releases from the traders, and then hack into newswire servers in search of that information. But none of the trader suspects had a background on Wall Street, except for Vitaly Korchevsky, 49, a former Morgan Stanley vice president who later ran a hedge fund, and who is allegedly responsible for $17 million of the profits gained by the insider-trading scheme, The Wall Street Journal reports. U.S. Attorney Kelly Currie said Aug. 11 that a court order had resulted in $5.4 million being seized from trading accounts owned by Korchevsky.

In total, the gang allegedly stole 150,000 press releases, although only acted on information contained in about 800 of those releases, the SEC's civil suit alleges. "The trader defendants had an unfair trading advantage over other market participants because they knew the content of the press releases before that information was publicly announced."

Of course, any industry would be at risk from similar attacks, if confidential information - and not just personally identifiable information - could potentially be turned into a financial gain, says attorney Joseph M. Burton, a partner at Duane Morris LLP. "The case should be seen as an object lesson for individuals and entities, in particular the securities industry - as well as the financial services and legal industries - regarding the real value of their digital information."

And Burton expects to see more cases like this one. "As you can see, the rewards are great - as are the risks," he says. "This is a function and reflection of the growing value of many forms of digital information. From a cybersecurity perspective, everything and everyone's focus should not just be on PII."

2. Breached Newswires: No Charges Filed

Authorities say the three hacked newswire services - Business Wire, Marketwired and PR Newswire - from which 150,000 press releases were allegedly stolen face no charges as part of this case. Rather, U.S. Attorney Fishman says they provided "fabulous cooperation" with the government's probe.

But multiple security experts have questioned whether the firms' security defenses were sufficiently robust, noting that the insider-trading ring's attacks do not appear to have qualified as either advanced or sophisticated. In fact, according to court documents, the attackers appeared to employ a mixture of phishing attacks and SQL injection attacks, plus brute-force password guessing, stealing usernames and hashed passwords for offline cracking, as well as installing malware on breached servers to maintain persistent, remote access.

"The lesson here is that if you're a major corporation, you have to look at your information supply chain - your PR firm and your general counsel - and evaluate the security those entities have in place to defend against this type of attack," says Tom Kellermann, chief cybersecurity officer of threat-intelligence firm Trend Micro.

3. Remember NASDAQ's Directors Desk?

This newswire service hacking campaign is not the first time that attackers have attempted to steal insider information. In a 2005 civil case, the SEC charged an Estonian financial services firm with stealing 360 confidential press releases from 200 U.S. companies via the website of Business Wire, and using the information to gather at least $7.8 million in illegal profits, The Wall Street Journal reports.

In 2011, meanwhile, NASDAQ warned that it had detected malicious files in its Directors Desk network, used by 230 companies' board members to exchange confidential information. But NASDAQ noted that its investigation found no signs that customer information or its trading platforms had been compromised.

In 2014, former Rep. Mike Rogers, R-Mich., then the House Intelligence Committee Chairman, claimed that based on classified intelligence, that hack had been state-sponsored, although security experts strongly questioned that assertion (see Nasdaq Hack Attribution Questioned).

But this new insider-trading hacking scheme suggests that past attacks attributed to state-sponsored Russian actors - as many financial services attacks have been - may in fact have been the work of technologically savvy criminals in Eastern Europe executing "hacks for hire" on behalf of U.S.-based clients.

4. Frontal Attack: Why Bother?

Where trading networks are concerned, banks and regulators have long voiced fears that trading systems themselves might be infiltrated, allowing hackers to not just steal millions, but hide their tracks. The newswire service hacks, however, demonstrate that attempting to infiltrate what are theoretically quite well-hardened and monitored systems is not necessary, when quieter - call them side-channel - methods exist to get data that attackers can then act upon in a legal-seeming manner.

There are numerous potential ways to steal this information - and many of them are not at all technologically sophisticated. Security expert Ryan Lackey, a product engineer at distributed denial-of-service defense firm CloudFlare, tells Information Security Media Group that when he's conducted "thought experiments" about how to best "hack" the stock market, press releases were the obvious, number-one target. Next would be law firms that handle mergers and acquisitions, and hacking into the actual printers that might have been used to print out related records. "Also hacking some PR staff person or secretary, of course, vs. the principal," could be used to trawl for data that might be useful for insider trading, Lackey adds.

5. Attackers May Move Quickly

The hackers and traders allegedly involved in this scheme could move quickly when required. Over a total of just 15 days of trading, notably, authorities say the ring amassed $5.7 million in profits.

For example on May 1, 2013, the hackers and traders exploited a 36-minute window between an unnamed company sending a press release to a newswire service saying that it was revising down its earnings forecast, and the press release being publicly released, the SEC's complaint says. "Ten minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling CFDs [contracts for difference], realizing $511,000 in profits when the company's stock price fell following the announcement."

If attackers moved quickly during the course of the alleged five-year campaign, the same does not appear to have been true of investigators, even though they appear to have singled out Turchynov early on. One of the indictments in the case says that in November 2012, authorities were able to seize one of his laptops, from which they recovered multiple suspiciously obtained press releases. The indictment also includes emails and chat messages attributed to Turchynov, although the source of those communications was not revealed.

But the alleged traders' earnings apparently helped lead to their undoing. Andrew Ceresney, director of the SEC's Division of Enforcement, says that the scheme was found thanks to "our use of innovative analytical tools to find suspicious trading patterns," despite the criminal campaign qualifying as "one of the most intricate and sophisticated trading rings that we have ever seen."

Executive Editor Tracy Kitten contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.